reporting dictionary attacks

Gregory Nowak greg at romuald.net.eu.org
Sun Jun 20 20:05:38 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, Jun 20, 2004 at 06:06:31PM -0400, Jayson Smith wrote:
> First, can you shut down the mailserver for a moment to try to make them
> think you've cought up to them? 

Ok, let me expand a bit. I ended up allowing mail to all non-existent
addresses at the domain in question, and simply dumped them into
/dev/null. I did this, since the address attackers and spammers were
taking advantage of the backup MX, sending their junk through it,
which it would then send to me, and which I would naturally reject as
invalid users. The end result was that the undeliverable mail would
get stuck in the backup MX machine's queue, so I let all users through
to take the load off of the backup MX's queue, while not filling up my
own.

To get back to your question, I don't want to just shut the mail
server down, since that would effect all other mail
deliveries. However, I did disable the excepting of mail for invalid
users, so the rcpt To command got back a 553 response. I've enabled it
again after a couple of hours, and the flood of this stuff continued
as soon as I allowed mail for non-existing accounts
through. Naturally, I took some more action, and starting piping the
stuff to a file, rather then to /dev/null. The attack has stopped now,
and the resulting file is 12 megs in size. it seems to contain the
same From, and Subject fields for all messages. Also, the body is the
same, and says "surprise". Finally,, there is a surprise.exe
attachment, which makes me think that some poor sap didn't know
better, then to secure their box against viruses. Still, that's
definitely no excuse to forgive and forget.

>  How about somehow blocking their ip?  Or,
> if you can anticipate an address they will soon use, quick like a bunny set
> up a user under that name, then that user can report it to Spamcop.

While I could block the IP, it looks like this is a dynamic one, so
that wouldn't have helped for long, though the same IP was used
throughout the attack as far as I could tell. I suppose I'll have to
implement a dynamic IP black list. That's something I didn't want to
do, given that people with dynamic IP address to their own SMTP, and
send legitimate mail, but ...

Also, this wasn't a dictionary attack in the strict sense, since the
addresses were either gibberish, or were German words (a German ISP was
where this IP traced back to). Also, while I mentioned that previous
such attacks came through the backup MX, this one was connecting
directly to my host.

Greg



- -- 
Free domains: http://www.eu.org/ or mail dns-manager at EU.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA1iZS7s9z/XlyUyARAgv+AJ4iuGOl1C6LoTTbGAMAR//ICTpTIgCcDjs5
1Gcbz70rH1IiCX6sLWBA+Bk=
=23i3
-----END PGP SIGNATURE-----




More information about the Speakup mailing list