Dictionary Attacks

[DAve]

Jim Holland wrote:
> On Tue, 24 Oct 2006, DAve wrote:
> 
>> Date: Tue, 24 Oct 2006 13:53:20 -0400
>> From: DAve <dave.list at pixelhammer.com>
>> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>> Subject: Dictionary Attacks
>>
>> I spoke to soon last week. Staring Friday we came under a heavy old 
>> fashioned dictionary attack. Each day from noon until 4pm EDT.
>>
>> The IPs are so widely scattered it seems it would do no good to track 
>> them. Right now milter-grey is consuming over 50% of my CPUs. If it 
>> follows the same course as the prior days, about the time the attack on 
>> one server starts to ease up it will increase on the next server.
>>
>> Milter-ahead is dealing with the connections that return. It could turn 
>> into a DOS with a few thousand more connections. Funny but there are so 
>> many connections for non-existant accounts that my load has fallen 
>> nearly to the floor. There is no traffic for MailScanner to operate on, 
>> the server is so dang busy telling zombies to go away.
>>
>> There has to be a better way to make a living than this 8^(
> 
> As a sendmail user, one of the reasons that I am currently playing around
> with Exim is that it has all kinds of fine-grained options to deal with
> specific problems like this that sendmail doesn't.  One option it has is
> to enable you to drop a connection as soon as it has attempted to deliver
> to more than a specified number of bad addresses, for example.  That
> should slow them down very quickly.
> 
> As you are using sendmail then you have options such as greet_pause,
> ratecontrol, conncontrol, confBAD_RCPT_THROTTLE,
> confCONNECTION_RATE_THROTTLE etc to slow things down.  It is a pity that
> the slow down for bad receipts is hard coded to one second, but it would
> be easy to change the source in srvrsmtp.c and recompile.
> 

In the works, but not for a bit. I need to upgrade the servers 
completely, OS and all.

> I am not sure how the above would interact with grey-listing.
> 
> I would also consider using a safe RBL at SMTP time as well.

Yep, I trust spamhaus and dnsbl but I can't really run any others. We 
have clients who do business with the Pacific Rim and Western Europe.

> 
> There are also scripts that can immediately firewall off any host 
> attempting to deliver to more than a specified number of bad recipients, 
> eg:
> 
> http://forum.ensim.com/showthread.php?t=13264
> 
> However if your attack is from a widely distributed army of bots that 
> makes defence extremely difficult.  Is there any assistance your upstream 
> provider can offer you with their own firewall?
> 

I am the upstream provider, next stop is MCI. I am seriously thinking 
about using a DUL blocklist. I've tried before but so many shrink wrap 
admins out there running a business on a DSL and using their own 
Exchange, makes it tough. I will surely get complaints when my clients 
can't get an email from someone outside.

DAve


-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.