A bit OT: Cut off address probes?

Furnish, Trever G TGFurnish at HERFF-JONES.COM
Tue Aug 5 16:14:12 IST 2003


>-----Original Message-----
>From: Ken Anderson [mailto:ka at PACIFIC.NET]
>Sent: Monday, August 04, 2003 6:23 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: A bit OT: Cut off address probes?
>
>See
>http://www.sendmail.org/m4/tweaking_config.html#confBAD_RCPT_THROTTLE

Well, that's close I guess but I'd rather use a longer delay and I'd also
rather not keep connections open all that long.  Am I wrong in my estimation
that it would not adversely affect legitimate mail to just issue a tcp rst
and close the connection?  Ideally I'd like to close the connection and then
reject future connections from such a server for a while (an hour or more).

That would also go a long way towards limiting the effectiveness of using
many compromised hosts to do these dictionary attacks.  At present using a
distributed set of hosts for such checking is a means of speeding up the
probe, since the target system can't afford to up its delay significantly if
it means keeping open too many connections.  By cutting off the connection
and rejecting traffic from the sender entirely for a while, the speed of the
probe could be slowed without leaving open connections to the local
sendmail.

I'm probably thinking too far out though - I'll start here and see if I
actually run into problems.

>Use access db with blacklist recipients.
>See:
>http://www.sendmail.org/m4/features.html#blacklist_recipients

>Ken

It hadn't clicked yet that I could block a domain and still allow individual
addresses within the domain. :-)  Thanks.

Anyone reading this ever written a milter?  I'm thinking this would be
pretty straightforward, wondering whether it's worth trying.  I would think
a milter that just lets you run an arbitrary external command after the bad
rcpt threshhold has been exceeded would be enough.  The command could write
the sender's ip address to a file that was checked periodicly by a cronjob
that takes care of blocking the address in iptables for an hour.

Would there be problems with such an approach?

-t.



More information about the MailScanner mailing list