[Mimedefang] The nerve of these people...

Tue Jan 7 18:03:01 EST 2003

Thank you to all that replied, and all that will reply to this also...
I set the number to 2, and instead of all 50-70 attempts coming at once, I
would get 2 per second until the attack was over.

I tracked down that piece of code in the source, in file
/sendmail-x.x.x/sendmail/srvrsmtp.c
there is this:

snip
       sm_syslog(LOG_INFO, e->e_id,
                                                  "%.100s: Possible SMTP
RCPT flood, throttling.",
                                                  CurSmtpClient);

                                        /* To avoid duplicated message */
                                        n_badrcpts++;
                                }

                                /*
                                **  Don't use exponential backoff for now.
                                **  Some servers will open more connections
                                **  and actually overload the receiver even
                                **  more.
                                */

                                (void) sleep(1);
/snip

I just changed the last line there like so:

snip
             sm_syslog(LOG_INFO, e->e_id,
                                                  "%.100s: Possible SMTP
RCPT flood, throttling.",
                                                  CurSmtpClient);

                                        /* To avoid duplicated message */
                                        n_badrcpts++;
                                }

                                /*
                                **  Don't use exponential backoff for now.
                                **  Some servers will open more connections
                                **  and actually overload the receiver even
                                **  more.
                                */

                                /*(void) sleep(1);*/
                                goto doquit;
/snip

Recompiled sendmail, and now after 2 bad rcpt's it will close the
connection. I may move this up to 5 after I get in tomorrow and someone has
complained, but until then it is staying.

Chad Stalvey.

-----Original Message-----
From: mimedefang-admin at lists.roaringpenguin.com
[mailto:mimedefang-admin at lists.roaringpenguin.com]On Behalf Of Jim
McCullars
Sent: Tuesday, January 07, 2003 3:19 PM
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] The nerve of these people...

On Tue, 7 Jan 2003, Chad Stalvey wrote:

> Is there any way to stop people that try this sort of thing?
>
> Last Line is who it came from, but his email and ip and domain is all
> changing.

   In your sendmail.mc file that you use to generate your sendmail config
file, add this line:

	define(`confBAD_RCPT_THROTTLE', `10')dnl

This will cause sendmail to sleep for one second between commands once a
remote MTA has sent 10 invalid recipients (change the number to your
liking - I have heard that some people set it as low as three).  It won't
stop dictionary attacks, but it will slow them down.  HTH...

Jim

_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang