Re: [exim] DOS attack. What to do?

Top Page
Delete this message
Reply to this message
Author: David Saez Padros
Date:  
To: W B Hacker
CC: exim users
Subject: Re: [exim] DOS attack. What to do?
Hi !!

>> from my experience in similar situations what helped in
>> having situation under control was examining the logs to
>> find common patterns (helo, sender addresses, recipients,
>> etc ...) and then build new acl rules to reject that attempts
>> as fast as possible, if possible avoiding dns and/or database
>> lookups and callouts.
>
> DNS for sure, and RBL sometimes, are faster than you might think.


not faster enough to survive a massive virus attack, at least
not in my case, but that's just my experience and it does not
mean that it must be good on all situations.

>> with "deny local_parts = fred:mary:.." wihtout having to
>> do a "verify = recipient" (which will take more cpu)
>
> Surely you jest?


yes.

> Putting multi-brazillons of dictionery-created non-existent local parts into
> *any of* an acl (hard-wired) or as a lookup of a local flat file, db/cdb file,
> or SQL RDBMS is simply not on, admin-wise and gets slower as it grows.


stop. i'm talking about commonly used names, not random names.
If you get thounsands of emails for mary@yourdomain and you don't have
such this address is very much faster "deny local_parts = mary" than
"verify = recipient", that's why the first thing that i said is that
one should examine logs and find common patterns.

In the other hand such this random generated addresses could be
catch by a regex just testing for many consecutive consonants (just one
more than the maximun number of consecutive consonants from your user
with more consecutive consonants), that will catch a lot of them.

--
Best regards ...

----------------------------------------------------------------
    David Saez Padros                http://www.ols.es
    On-Line Services 2000 S.L.       e-mail  david@???
    Pintor Vayreda 1                 telf    +34 902 50 29 75
    08184 Palau-Solita i Plegamans   movil   +34 670 35 27 53
----------------------------------------------------------------