Will milter-greylist solve my directory harvest attacks?

dnsadmin 1bigthink.com dnsadmin at 1BIGTHINK.COM
Thu Dec 15 23:04:05 GMT 2005


At 05:19 PM 12/15/2005, you wrote:

      dnsadmin 1bigthink.com wrote:
      > Hello All,
      >
      > I've implemented as much restriction, as tolerable by my
      users, within
      > the MTA (sendmail) and still get some hammering directory
      harvest attacks.
      >
      > Will milter-greylist help?

      Somewhat, but you'll get hammered with a really large
      greylist database.

      Really to deal with dictionary attacks there's a few quick
      sendmail features you
      can use to help.

      The BAD_RCPT_THROTTLE options is probably the most effective
      here. Here's a
      quick sendmail.mc fragment for it:

      #after 15 invalid recipients, start slowing them down with
      #1 second sleeps
      define(`confBAD_RCPT_THROTTLE',15)


already have:
define(`confBAD_RCPT_THROTTLE', `2')

      You might also want to consider MAX_RCPTS_PER_MESSAGE,
      MAX_DAEMON_CHILDREN, and
      CONNECTION_RATE_THROTTLE.


I had not defined MAX_DAEMON_CHILDREN. I will set to 500.

already have:
define(`confMAX_RCPTS_PER_MESSAGE',19)
FEATURE(`greet_pause',10000)
define(`confCONNECTION_RATE_THROTTLE',8)
define(`confCONNECTION_RATE_WINDOW_SIZE',60s)

      I'd also strongly suggest making sure that PRIVACY_FLAGS has
      either goaway or
      novrfy,noexpn.


also:

define(`confPRIVACY_FLAGS',`authwarnings,novrfy,noexpn,nobodyreturn,restrictqru
')


Please see inline above..

No POP without AUTH!

Thanks Matt! You made me revisit my M4. Good suggestions too, but mostly
implemented.

Are there any other suggestions? I still get too many directory harvest
attacks

I am also building a new DNS server to replace the one that is getting
hammered on a nightly basis.

TIA!
Glenn Parsons
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list