[Mimedefang] Blocking Dictionary Attacks
Les Mikesell
les at futuresource.com
Tue Jun 9 13:59:38 EDT 2009
Paul Murphy wrote:
>>>> afo cliff <afocliff at gmail.com> 09/06/2009 17:18 >>>
>> Ok, then it looks like it's better to stick with access/virtusertable
> rejection.
>
>
> No, it is infinitely better to do it in filter_recipient, and terminate
> the connection after a number of invalid recipients.
>
> Consider the case where a spammer connects and tries a list of 2000
> common accounts (root, postmaster, admin, daemon, staff, info, etc...).
> Rejecting via the access DB will reject all of the ones which are
> invalid, and will do so quickly. However, all of the valid ones will
> get the spam, and the spammer will also get a 2xx OK code to that
> recipient, so they can tune their mailing lists to remove known bad
> addresses, and sell on the ones which they now know to be working.
Spammers are a lot smarter than that these days. If you watch your logs
during a dictionary attack you are likely to see the messages come in
from dozens of different IP addresses that are obviously coordinating
the address space and timing so you don't see a big number of addresses
come in from any single source, or on any single message, or fast enough
to overwhelm a reasonable server.
> Doing it via filter_recipient, the spammer sends RCPT_TO with the first
> address, which might be valid. However, long before they have gone
> through the 2000 in their list, you've seen 3 bad addresses, and have
> rejected the whole message.
Sendmail can do this directly as well:
define(`confBAD_RCPT_THROTTLE',`3')dnl
And unless you expect messages with a large number of recipients you can
refuse to accept them without running any perl code:
define(`confMAX_RCPTS_PER_MESSAGE',`5')dnl
'Real' senders are supposed to figure this out and resend but I don't
know how it works out in practice.
--
Les Mikesell
lesmikesell at gmail.com
More information about the MIMEDefang
mailing list