Dictionary Attacks
René Berber
r.berber at computer.org
Tue Oct 24 20:15:56 IST 2006
Alex Neuman wrote:
> You may want to use iptables (or whatever your firewall uses) to
> rate-limit incoming connections.
Or use the connection control options of sendmail.
> Although you are probably under attack by a spam zombie army, I'm sure
> some of those connections must be coming from repeated IPs. Set it so
> that no more than, say, 4 connections in the last 60 seconds can come in
> to your smtp port from the same ip address. Legit servers will probably
> not be affected, but spam zombies will have a hard time getting to you.
>
> something like:
>
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
> recent --set
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
> recent --update --seconds 60 --hitcount 4 -j LOG --log-prefix "RATELIMIT: "
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
> recent --update --seconds 60 --hitcount 4 -j DROP
Something very close to this is what connection control does
(ConnectionRateThrottle) plus you have BadRcptThrottle which is an additional
brake, also you should use the greet_pause, and there are a few more measures
like milter-error (which will count those graylist responses as errors and
blacklist them for a while if they insist) and feature local_sender_check (from
http://ultra.ap.krakow.pl/~raj/sendmail/english.html) which will reject non
existent users pretending to be from your own domain.
> for example...
[snip]
--
René Berber
More information about the MailScanner
mailing list