[MAILSCANNER] Reverse NDR attack.How to combat ? Any ideas ?

dnsadmin 1bigthink.com dnsadmin at 1BIGTHINK.COM
Wed Sep 21 18:56:17 IST 2005


At 11:59 AM 9/21/2005, you wrote:

>Venkata Achanta wrote:
> > Thanks Matt.didnt make sense until it became a reality on my mail servers
> > this week. I agree with you 100%.
> >
> > Now if i go the route of accepting e-mail for only valid users, how do i
> > mitigate the risk of Directory Harvest attack on a setup like mine ?can 
> you
> > throw some light on it as well ?
>
>What's your outside MTA? Sendmail?
>
>Try this sendmail.mc config option to deal with dictionary attacks:
>
>#after 10 invalid recipients, start slowing them down with
>#1 second sleeps, makes dictionary attacks very slow
>
>define(`confBAD_RCPT_THROTTLE',10)

Does this work for the distributed attacks I'm seeing? I've been set at 
define(`confBAD_RCPT_THROTTLE',2).

It appears that zombied PCs are being used by the attacker to smack my 
server with all kinds of attempts to deliver. They'll come from IPs from 
all over the globe including some predominant US ISPs.

Any other suggestions?

Thanks,
Glenn 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list