[MAILSCANNER] Reverse NDR attack.How to combat ? Any ideas ?

Jeff A. Earickson jaearick at COLBY.EDU
Wed Sep 21 19:24:51 IST 2005


I block the heavy-hitter spam zombies at the firewall if need be.
In my case, this is with an ipfilter rule (I use Solaris).  For modern
sendmail, also look at the following for you .mc file:

FEATURE(`greet_pause', `8000')dnl 8 seconds
FEATURE(`conncontrol',`nodelay',`terminate')dnl
FEATURE(`ratecontrol',`nodelay',`terminate')dnl
define(`confCONNECTION_RATE_THROTTLE',4)dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',60s)dnl

Jeff Earickson
Colby College

On Wed, 21 Sep 2005, dnsadmin 1bigthink.com wrote:

> Date: Wed, 21 Sep 2005 13:56:17 -0400
> From: dnsadmin 1bigthink.com <dnsadmin at 1BIGTHINK.COM>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: [MAILSCANNER] Reverse NDR attack.How to combat ? Any ideas ?
> 
> At 11:59 AM 9/21/2005, you wrote:
>
>> Venkata Achanta wrote:
>> > Thanks Matt.didnt make sense until it became a reality on my mail servers
>> > this week. I agree with you 100%.
>> >
>> > Now if i go the route of accepting e-mail for only valid users, how do i
>> > mitigate the risk of Directory Harvest attack on a setup like mine ?can 
>> you
>> > throw some light on it as well ?
>> 
>> What's your outside MTA? Sendmail?
>> 
>> Try this sendmail.mc config option to deal with dictionary attacks:
>> 
>> #after 10 invalid recipients, start slowing them down with
>> #1 second sleeps, makes dictionary attacks very slow
>> 
>> define(`confBAD_RCPT_THROTTLE',10)
>
> Does this work for the distributed attacks I'm seeing? I've been set at 
> define(`confBAD_RCPT_THROTTLE',2).
>
> It appears that zombied PCs are being used by the attacker to smack my server 
> with all kinds of attempts to deliver. They'll come from IPs from all over 
> the globe including some predominant US ISPs.
>
> Any other suggestions?
>
> Thanks,
> Glenn 
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list