You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Daniel A. de Araujo" <da...@itautec-philco.com.br> on 2005/03/23 21:13:27 UTC
Dictionary Attack
Hi Guys,
We are receiving a lot of faked emails from outside using our own domain
using Dictonary Attacks from the same source IP.
Does anybody know a way (or a trap) to detect and block it ?
Thanks,
Daniel Araujo.
Re: Dictionary Attack
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
> We are receiving a lot of faked emails from outside using our own domain
> using Dictonary Attacks from the same source IP.
> Does anybody know a way (or a trap) to detect and block it ?
The same source ip? What about iptables? ;)
Bye,
Raymond.
Re: Dictionary Attack
Posted by Menno van Bennekom <mv...@xs4all.nl>.
> We are receiving a lot of faked emails from outside using our own domain
> using Dictonary Attacks from the same source IP.
> Does anybody know a way (or a trap) to detect and block it ?
What exactly do you mean buy using your own domain?
If they use your domain as sender-address you can block them with the
postfix check_sender_access hash-file.
If they use your use your own server-name or it's ip-address as HELO then
you can block them with check_helo_access.
If the 'attackers' use certain IP-ranges or dns-suffixes you can block
them with check_client_access.
Often these attacks come from dynamic-addresses so you can use an RBL in
postfix for example 'reject_rbl_client dynablock.njabl.org'.
And as already mentioned the smtpd limits can be used to make life more
difficult for the attackers, see
http://www.postfix.org/TUNING_README.html.
Menno van Bennekom
Re: RES: Dictionary Attack
Posted by "Eric A. Hall" <eh...@ehsco.com>.
On 3/23/2005 4:16 PM, Matt Kettler wrote:
> Daniel A. de Araujo wrote:
>
>>Thanks Matt. The 2nd option looks fine, but we use Postfix. Do u (or
>>somebody) know how to implement this option at Postfix ?
>
> Try looking at smtpd_error_sleep_time and smtpd_soft_error_limit at this
> page:
>
> http://www.postfix.org/rate.html
That's the right track definitely. I use:
smtpd_error_sleep_time = 10s
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 5
That stops most malware and dictionary attacks but still tolerates
problematic clients and my fat-fingered tests.
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: RES: Dictionary Attack
Posted by Matt Kettler <mk...@evi-inc.com>.
Daniel A. de Araujo wrote:
>Thanks Matt. The 2nd option looks fine, but we use Postfix. Do u (or
>somebody) know how to implement this option at Postfix ?
>
>
Try looking at smtpd_error_sleep_time and smtpd_soft_error_limit at this
page:
http://www.postfix.org/rate.html
I'm not really a postfix sort, but that's the closest set of commands I
can find.
RES: Dictionary Attack
Posted by "Daniel A. de Araujo" <da...@itautec-philco.com.br>.
Thanks Matt. The 2nd option looks fine, but we use Postfix. Do u (or
somebody) know how to implement this option at Postfix ?
txs
Daniel.
-----Mensagem original-----
De: Matt Kettler [mailto:mkettler@evi-inc.com]
Enviada em: quarta-feira, 23 de março de 2005 17:24
Para: Daniel A. de Araujo
Cc: users@spamassassin.apache.org
Assunto: Re: Dictionary Attack
Daniel A. de Araujo wrote:
> Hi Guys,
>
>
> We are receiving a lot of faked emails from outside using our own
> domain using Dictonary Attacks from the same source IP.
> Does anybody know a way (or a trap) to detect and block it ?
Several options to deal with it, with varying degrees of efficacy and
effort involved.
1) If it's just one source, just block the source IP with a
/etc/mail/access entry or a firewall entry.
2) if you use sendmail as a MTA, turn on the BAD_RCPT_THROTTLE option
/etc/mail/sendmail.mc:
#after 5 invalid recipients, start slowing them down with 1
second sleeps
define(`confBAD_RCPT_THROTTLE',5)
(and follow up by rebuilding sendmail.cf with m4, then restart
sendmail.)
3) do something like rumplekill
http://bignosebird.com/notebook/rumplekill.shtml
Esta mensagem eletronica (e qualquer anexo) e confidencial e enderecada ao(s) individuo(s) referidos acima e a outros que tenham sido expressamente autorizados a recebe-la.Se voce nao e o destinatario(a) desta mensagem, por gentileza nao copie, use ou divulgue seu conteudo. Caso voce tenha recebido esta mensagem equivocadamente por favor, apague esta mensagem e eventuais copias.
This e-mail communication (and any attachments) is confidential and is intended only for the individual(s) named above and others who have been specifically authorized to receive it. If you are not the intended recipient, please do not read, copy, use or disclose the contents of this communication to others. Please then delete the e-mail and any copies of it.
sem acentuacao ...
Re: Dictionary Attack
Posted by Matt Kettler <mk...@evi-inc.com>.
Daniel A. de Araujo wrote:
> Hi Guys,
>
>
> We are receiving a lot of faked emails from outside using our own
> domain using Dictonary Attacks from the same source IP.
> Does anybody know a way (or a trap) to detect and block it ?
Several options to deal with it, with varying degrees of efficacy and
effort involved.
1) If it's just one source, just block the source IP with a
/etc/mail/access entry or a firewall entry.
2) if you use sendmail as a MTA, turn on the BAD_RCPT_THROTTLE option
/etc/mail/sendmail.mc:
#after 5 invalid recipients, start slowing them down with 1
second sleeps
define(`confBAD_RCPT_THROTTLE',5)
(and follow up by rebuilding sendmail.cf with m4, then restart
sendmail.)
3) do something like rumplekill
http://bignosebird.com/notebook/rumplekill.shtml