[Mimedefang] dictionary attacks looking for a valid user
Mack
roaringpenguin.com at bass-speaker.com
Thu Dec 15 17:04:36 EST 2005
without giving too much away about how i've implemented this.....
Basically -- Greylisting (triplet based)
Throttleing -- User Based agaist triplet scoring
Remote IP --Against tries/retries
Eg the last virus to do the rounds, that .Y or .Z depending on your AV,
basically tried to send x million virus to said addressess..
Spool em if over X and worry about em seperate (if doing user based
scanning!!!)
else set a throttle for domain based only allowing maybe 25 users trys
soon as u get a fail - grey list and out she goes (not an MD feature)
run sender verify & helo arg checks against sending host (as well as RBL
etc) (add to spam score accordingly)
Run Ldap against your recip server (you do run MD as a gateway not a
terminating MTA??)
Remember all valid mail servers will resend the mail within a reasonable
time period....
spammers won't
You can reduce your recieved spam by about 60ish% using this (since you
never receive it)
the rest is caught by spam assasin
-----Original Message-----
From: mimedefang-bounces at lists.roaringpenguin.com
[mailto:mimedefang-bounces at lists.roaringpenguin.com]On Behalf Of Alex
Moore
Sent: 15 December 2005 21:06
To: mimedefang at lists.roaringpenguin.com
Subject: [Mimedefang] dictionary attacks looking for a valid user
I have not seen this topic discussed. BTW, I appreciate the recent
thread on greylisting.
Spammer scenario:
A spammer tries many times to find a user with something like a
dictionary attack or a list of commonly used user names.
How can I setup a rule in MIMEDefang to define those transactions? Say
when a smtp server tries 10 times within a short time period and is sent
a 550 code each time. I think that it would appropriate to have MD just
blacklist that address. Is that possible? I want to ignore them
completely after this event has occurred.
Ideas?
Thanks, Alex
--
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
This Email Has Been Anti-Virus Scanned
More information about the MIMEDefang
mailing list