[milters] Archive

Lists Index Date Thread Search

Article: 138
From: Anthony Howe
Date: 2004-10-08 09:57:04 -0400
Subject: Re: Stopping dictionary attacks

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Jose Nathaniel G. Nengasca wrote:
> I have so much on my logs using dictionary attacks (guessing usernames) on
> my email server from email with <>, is there any way to stop this kind of
> attacks, like adding them to the blacklist automatically when the user does
> not exists on my server .AND. from <> senders?

A similar question was asked last month and I answered: no. See

http://www.snert.com/Software/ecartis/index.php?go=/milters/2004-09/112

Some of those "attacks" might actually be callbacks from another 
milter-sender or similar system to test if the address exists. It would 
be almost impossible to tell the difference between a call-back from a 
legit machine and dictionary probing. One of the failings of the 
callback technique is that it could be used by spammers to indirectly 
probe other systems. (Though I thought I addressed this in an update 
last year with an option.)

You would have to obverse some patterns and maybe use milter-limit in 
conjunction with milter-sender to allow only a certain number of tests / 
connections per hour or day from suspicious servers.

Another alternatively might be to try running with milter-gris before 
milter-sender and use grey listing to discourage the spammers. Not sure 
how well this would work. Be interesting to see results.

Also use Sendmail 8.13.1 with the FEATURE(`greet_pause', 10).  This does 
wonders.


-- 
Anthony C Howe                                 +33 6 11 89 73 78
http://www.snert.com/       ICQ:
7116561         AIM: Sir Wumpus

            "Once...we were here."  - Last of The Mohicans


Lists Index Date Thread Search