Dictionary Attacks

Jim Holland mailscanner at mango.zw
Tue Oct 24 21:09:15 IST 2006 

On Tue, 24 Oct 2006, DAve wrote:

> Date: Tue, 24 Oct 2006 13:53:20 -0400
> From: DAve <dave.list at pixelhammer.com>
> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Subject: Dictionary Attacks
> 
> I spoke to soon last week. Staring Friday we came under a heavy old 
> fashioned dictionary attack. Each day from noon until 4pm EDT.
> 
> The IPs are so widely scattered it seems it would do no good to track 
> them. Right now milter-grey is consuming over 50% of my CPUs. If it 
> follows the same course as the prior days, about the time the attack on 
> one server starts to ease up it will increase on the next server.
> 
> Milter-ahead is dealing with the connections that return. It could turn 
> into a DOS with a few thousand more connections. Funny but there are so 
> many connections for non-existant accounts that my load has fallen 
> nearly to the floor. There is no traffic for MailScanner to operate on, 
> the server is so dang busy telling zombies to go away.
> 
> There has to be a better way to make a living than this 8^(

As a sendmail user, one of the reasons that I am currently playing around
with Exim is that it has all kinds of fine-grained options to deal with
specific problems like this that sendmail doesn't.  One option it has is
to enable you to drop a connection as soon as it has attempted to deliver
to more than a specified number of bad addresses, for example.  That
should slow them down very quickly.

As you are using sendmail then you have options such as greet_pause,
ratecontrol, conncontrol, confBAD_RCPT_THROTTLE,
confCONNECTION_RATE_THROTTLE etc to slow things down.  It is a pity that
the slow down for bad receipts is hard coded to one second, but it would
be easy to change the source in srvrsmtp.c and recompile.

I am not sure how the above would interact with grey-listing.

I would also consider using a safe RBL at SMTP time as well.

There are also scripts that can immediately firewall off any host 
attempting to deliver to more than a specified number of bad recipients, 
eg:

http://forum.ensim.com/showthread.php?t=13264

However if your attack is from a widely distributed army of bots that 
makes defence extremely difficult.  Is there any assistance your upstream 
provider can offer you with their own firewall?

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

More information about the MailScanner mailing list