Jonathan Vanasco <jvanasco@???> wrote:
>
> We get about 3 dictionary attacks on our servers each day. Its really
> annoying.
>
> I'm trying to come up with a way to combat them -- can anyone drop me
> some pointers they use, or help me flesh out the following idea:
>
> Here's my proposed idea
> ----
> under acl_check_rcpt:
> if a "rejected RCPT $ADDRESS: Unrouteable address" error is tripped,
> we log the timestamp/datetime in two dbs -- once with the senderIP,
> another with the senderAddress
>
> under acl_check_connect:
> we query the 2 dbs to see if there were 10 or more entries for the
> ip or sender address within the last 3 minutes
>
> this assumes that a dictionary attack will have 10+ guesses in 3
> minutes. usually, they seem to work in 1,3,8 second intervals against
> our servers
>
> the senderaddress blocking might be too much, in case its spoofed.
> maybe it would be either IP or sender_address + ip, as our spammers
> tend to not cycle the sender address
>
> comments? suggestions on how to pull it off?
Have you tried using stalling tactics (delay) and/or dropping the connection
if there are many failed recipients? These tactics work but unless you grab
and add the sending host's IP address to a blacklist, they'll just come back
and try again. :)
thanks,
M
--
Michael Sprague | mfs@???
Partner | System and Network Engineering (SaNE), LLC
use STD::disclaimer;