reporting dictionary attacks

Jayson Smith ratguy at bellsouth.net
Sun Jun 20 18:18:36 EDT 2004


Hi,
A few more thoughts on the dictionary attack.  My earlier post was CCed to
Greg himself so he'd hopefully get the information sooner, since this list
is taking a long time to send out messages, mine anyway!
I'm surprised smtp servers aren't taking this matter into their own hands.
It seems to me that for such an attack, there could be several solutions.
Firstly, the server could, upon noticing many invalid address requests from
the same ip or group of ips, simply block those ips for a while.  When they
connect, just either immediately disconnect them, or give some error and
disconnect.  Or even better, make them wait a few seconds before kicking
them off.
Another solution would be to start delaying responses to invalid requests.
E.G. after ten invalids, delay the next few 550s by one second.  Then 2
seconds.  Then 5 seconds.  Then 10 seconds.  and so on.
Another idea would be to have the server actually appear to accept mail for
a nonexistant account, when it figures out that these guys are doing a
dictionary attack.  Such messages might get sent to either root or some
other account set up for such messages.
Also, I'm assuming a dictionary attack is something like, for example,
somebody trying to send, in rapid succession, to dentist at yourdomain.com
health at yourdomain.com baseball at yourdomain.com apple at yourdomain.com
freezer at yourdomain.com failure at yourdomain.com toothbrush at yourdomain.com
shaver at yourdomain.com barbershop at yourdomain.com chocolate at yourdomain.com
central at yourdomain.com running at yourdomain.com etc.  Is this right?
Jayson.

----- Original Message -----
From: "Gregory Nowak" <greg at romuald.net.eu.org>
To: <speakup at braille.uwo.ca>
Sent: Sunday, June 20, 2004 4:39 PM
Subject: reporting dictionary attacks


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all.
>
> I've been watching via my logs an email dictionary attack against a
> domain I host for the last 5 hours now, and still going strong as I
> write this.
>
> Unfortunately, looking at spamcop.net seems to indicate that you can
> only report spam through them that came to legitimate email
> accounts. So, is there a way for me to report a dictionary attack
> somewhere? It's really pissing me off that I have my out-bound port 25
> blocked, and have to relay because of people like this, while some
> damned bastard has their out-bound smtp opened by their ISP, which
> they obviously don't deserve to have.
>
> Greg
>
>
> - --
> Free domains: http://www.eu.org/ or mail dns-manager at EU.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
>
> iD8DBQFA1fX97s9z/XlyUyARAl5qAKDZvExjBEw5aaSCybl3zFj3gfQslgCgxGz0
> Sf76jZpJPpqy7zBqqeihNfQ=
> =du7E
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>





More information about the Speakup mailing list