reporting dictionary attacks

Gregory Nowak greg at romuald.net.eu.org
Sun Jun 20 20:20:28 EDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, Jun 20, 2004 at 06:18:36PM -0400, Jayson Smith wrote:
> I'm surprised smtp servers aren't taking this matter into their own hands.
> It seems to me that for such an attack, there could be several solutions.
> Firstly, the server could, upon noticing many invalid address requests from
> the same ip or group of ips, simply block those ips for a while.  When they
> connect, just either immediately disconnect them, or give some error and
> disconnect.  Or even better, make them wait a few seconds before kicking
> them off.


See my previous post. I am already using several black lists to reject
mail from IP address known to be open relays or spammers, and this
rejection takes place even before the smtp transaction even starts. I
think I'll look at implementing a dynamic IP black list too. I used to
think that my ISP's out-bound smtp blocking policy was unreasonable,
especially for static IP customers, but I think I'm coming around to
their side. It's just too bad that the internet gets ruined for
innocent folks in the process.

> Another solution would be to start delaying responses to invalid requests.
> E.G. after ten invalids, delay the next few 550s by one second.  Then 2
> seconds.  Then 5 seconds.  Then 10 seconds.  and so on.

I've got reasons against doing tarpitting, which is what you're
describing. These reasons are in the same family with the reasons for
why no ISP should be doing out-bound SMTP blocking. They might change.

> Another idea would be to have the server actually appear to accept mail for
> a nonexistant account, when it figures out that these guys are doing a
> dictionary attack.  Such messages might get sent to either root or some
> other account set up for such messages.

See my previous post.

> Also, I'm assuming a dictionary attack is something like, for example,
> somebody trying to send, in rapid succession, to dentist at yourdomain.com

Yes, accept that they're not always in alphabetical order, and
sometimes, like now, aren't proper English words.

Greg



- -- 
Free domains: http://www.eu.org/ or mail dns-manager at EU.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA1inM7s9z/XlyUyARAgqsAJ9wXpi8z5T2cIEonMjN146y0Se0HQCeOV/W
0GoSWxt4hQ4TGJCmLHsl8mI=
=yzCt
-----END PGP SIGNATURE-----

More information about the Speakup mailing list