[MAILSCANNER] directory attac - was: Reverse NDR attack...

Michael Janssen Janssen at RZ.UNI-FRANKFURT.DE
Wed Sep 21 10:40:41 IST 2005


On Wed, 21 Sep 2005, Venkata Achanta wrote:

> Now if i go the route of accepting e-mail for only valid users, how do i
> mitigate the risk of Directory Harvest attack on a setup like mine ?can you
> throw some light on it as well ?

you can try to recognize the attacing hosts in the logs (a high percentage
of unknown-user request against very low existing recipients) and block
those hosts for a while. This means to have a cronjob-script which
searches your maillogs for such hosts, a kind of database (flat file?) and
means of blocking the hosts (at firewall level or mta level) and
releasing the hosts from the block afterwards.

I'm not certain if directory attacs are worth the effort (from my
expirience the dictionary attacers gets 100% user-unknown,
allmost-anytime) but having usable (usable by automated scripts searching
the logs for bad behaving hosts) ways to block hosts is allways a good
idea.


For sendmail http://www.milter.info was often suggested on this list, by I
don't know sendmail.

regards
Michael

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list