[MAILSCANNER] Reverse NDR attack.How to combat ? Any ideas ?

dnsadmin 1bigthink.com dnsadmin at 1BIGTHINK.COM
Wed Sep 21 21:35:54 IST 2005


At 02:24 PM 9/21/2005, you wrote:

>I block the heavy-hitter spam zombies at the firewall if need be.
>In my case, this is with an ipfilter rule (I use Solaris).  For modern
>sendmail, also look at the following for you .mc file:
>
>FEATURE(`greet_pause', `8000')dnl 8 seconds
>FEATURE(`conncontrol',`nodelay',`terminate')dnl
>FEATURE(`ratecontrol',`nodelay',`terminate')dnl
>define(`confCONNECTION_RATE_THROTTLE',4)dnl
>define(`confCONNECTION_RATE_WINDOW_SIZE',60s)dnl
>
>Jeff Earickson
>Colby College
>
>>>Venkata Achanta wrote:
>>> > Thanks Matt.didnt make sense until it became a reality on my mail servers
>>> > this week. I agree with you 100%.
>>> >
>>> > Now if i go the route of accepting e-mail for only valid users, how do i
>>> > mitigate the risk of Directory Harvest attack on a setup like mine 
>>> ?can you
>>> > throw some light on it as well ?
>>>What's your outside MTA? Sendmail?
>>>Try this sendmail.mc config option to deal with dictionary attacks:
>>>#after 10 invalid recipients, start slowing them down with
>>>#1 second sleeps, makes dictionary attacks very slow
>>>define(`confBAD_RCPT_THROTTLE',10)
>>
>>Does this work for the distributed attacks I'm seeing? I've been set at 
>>define(`confBAD_RCPT_THROTTLE',2).
>>
>>It appears that zombied PCs are being used by the attacker to smack my 
>>server with all kinds of attempts to deliver. They'll come from IPs from 
>>all over the globe including some predominant US ISPs.
>>
>>Any other suggestions?
>>
>>Thanks,
>>Glenn


I've only had one or two culprits hit me so hard that they earned a 
permanent place on my iptables ruleset.

I took the time to Google all the settings you recommended and implemented 
them all. I was surprised to find that I had not originally implemented the 
GreetPause feature, but had not seen, prior to my Google research, that you 
can and should at least except your localhost in the access database.

Thanks for your help! It'll be interesting to see the difference in my logs 
tomorrow!

Thanks!
Glenn

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list