Re: [exim] Dealing with dictionary attacks

Top Page
Delete this message
Reply to this message
Author: Michael F. Sprague
Date:  
To: exim-users
Subject: Re: [exim] Dealing with dictionary attacks
Jonathan Vanasco <jvanasco@???> wrote:
>
> We get about 3 dictionary attacks on our servers each day. Its really
> annoying.
>
> I'm trying to come up with a way to combat them -- can anyone drop me
> some pointers they use, or help me flesh out the following idea:
>
> Here's my proposed idea
> ----
> under acl_check_rcpt:
>     if a "rejected RCPT $ADDRESS: Unrouteable address" error is tripped, 
> we log the timestamp/datetime in two dbs -- once with the senderIP, 
> another with the senderAddress

>
> under acl_check_connect:
>     we query the 2 dbs to see if there were 10 or more entries for the 
>     ip or sender address within the last 3 minutes

>
> this assumes that a dictionary attack will have 10+ guesses in 3
> minutes. usually, they seem to work in 1,3,8 second intervals against
> our servers
>
> the senderaddress blocking might be too much, in case its spoofed.
> maybe it would be either IP or sender_address + ip, as our spammers
> tend to not cycle the sender address
>
> comments? suggestions on how to pull it off?


Have you tried using stalling tactics (delay) and/or dropping the connection
if there are many failed recipients? These tactics work but unless you grab
and add the sending host's IP address to a blacklist, they'll just come back
and try again. :)

thanks,
M

-- 
Michael Sprague  | mfs@???
Partner          | System and Network Engineering (SaNE), LLC
use STD::disclaimer;