[Mimedefang] Blocking Dictionary Attacks

[Les Mikesell]

Paul Murphy wrote:
>>>> afo cliff <afocliff at gmail.com> 09/06/2009 17:18 >>>
>> Ok, then it looks like it's better to stick with access/virtusertable
> rejection.
> 
> 
> No, it is infinitely better to do it in filter_recipient, and terminate
> the connection after a number of invalid recipients.
> 
> Consider the case where a spammer connects and tries a list of 2000
> common accounts (root, postmaster, admin, daemon, staff, info, etc...). 
> Rejecting via the access DB will reject all of the ones which are
> invalid, and will do so quickly.  However, all of the valid ones will
> get the spam, and the spammer will also get a 2xx OK code to that
> recipient, so they can tune their mailing lists to remove known bad
> addresses, and sell on the ones which they now know to be working.

Spammers are a lot smarter than that these days.  If you watch your logs 
during a dictionary attack you are likely to see the messages come in 
from dozens of different IP addresses that are obviously coordinating 
the address space and timing so you don't see a big number of addresses 
come in from any single source, or on any single message, or fast enough 
to overwhelm a reasonable server.

> Doing it via filter_recipient, the spammer sends RCPT_TO with the first
> address, which might be valid.  However, long before they have gone
> through the 2000 in their list, you've seen 3 bad addresses, and have
> rejected the whole message.

Sendmail can do this directly as well:
define(`confBAD_RCPT_THROTTLE',`3')dnl

And unless you expect messages with a large number of recipients you can 
refuse to accept them without running any perl code:
define(`confMAX_RCPTS_PER_MESSAGE',`5')dnl
'Real' senders are supposed to figure this out and resend but I don't 
know how it works out in practice.

-- 
   Les Mikesell
    lesmikesell at gmail.com