Bob German writes on 10/10/2003 8:29 PM:


A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them.
Could this be why everyone's locking up their mail servers all of a sudden?
Does anyone know of a way to stop them?

Set up header checks in sendmail / postfix to block all mail with Received: headers showing Ralsky IPs. PCRE header checks in postfix would be like -


/^Received:.*(\[|\(|\s)211\.158\.[3456789]\d\.\d/ REJECT Ralsky from
cqnet.com.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.[89]\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.1[01]\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.1[345]\d\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)219\.153\.1[45]\d\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.10\.57\.\d/ REJECT Ralsky from
cncgroup-hl. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669


srs (yes, this is a rather expensive set of checks)

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations



Reply via email to