[Mimedefang] dictionary attacks looking for a valid user

Thu Dec 15 17:59:07 EST 2005

On Thu, Dec 15, 2005 at 04:53:13PM -0500, David F. Skoll wrote:
> > It's tricky. I haven't done this yet but I'm sortof planning to. One
> > possibility is to make sure all valid adresses are in virtusertable,
> > and all invalid adresses map to some magic token that sendmail believes
> > is valid, but really isn't. You could catch the magic token in
> > mimedefang and always return a "user unknown" error, and at the
> > same time mark that this happened on this connection...
> 
> Unfortunately, MIMEDefang only sees exactly what was in the
> RCPT TO: command.  It doesn't know the results of virtusertable
> changes.
> 
> (Though it occurs to me that it can see the mailer, so if you
> map invalid addresses to something magical in virtusertable, and
> have that magical thing select the "error" mailer, then MIMEDefang
> might see it... have to test.)

That's exactly what I meant with the magic token... something that
maps to a special mailer, say "myerror" (not "error", cause error is
handled by sendmail, and causes it to abort immediately). I've tested
this briefly and it seems to work. It's nowhere near production
though, and I have yet to decide what to do with that information
exactly. I might end up scoring remote hosts (or netblocks) based
on recent email behaviour (SA/Bayes scores, virus, bad rcpts, number
of mails, and particularly changes in those parameters).

Oh, one thing I may may need by then is a "filter_abort" hook in
mfabort... but I'll patch that in when necessary. Just to count hosts
that abort the mail sending part prematurely, if that happens too often,
it's likely an address harvester (or a "probeback" address verifier...
hmmm). This could also be gathered by inspecting sendmail logs, but
sendmail is sometimes suspiciously silent about aborted transfers.

> > An easier solution might be to have a process tail(1) your logfile and
> > take action on the information there. I think I've even seen something
> > like that: more than x invalid recipients, and you're firewalled away.
> 
> That's much easier.  I have a script I run for a similar purpose:  It
> firewalls off anyone who attempts to log in via SSH with an invalid
> password.  There are lots of SSH brute-forcers around.

Someone else in this thread already pointed at something like that
for bad recipients in the sendmail log. If that's all you need,
it is certainly easier than monkeying around with virtusertable
and fake error mailers.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet