On Tue, 8 Feb 2005, Rich Puhek wrote: > From: Rich Puhek <[EMAIL PROTECTED]> > To: "Dan Mahoney, System Admin" <[EMAIL PROTECTED]> > Cc: users@spamassassin.apache.org > Date: Tue, 08 Feb 2005 10:29:57 -0600 > Subject: Re: detecting brute-force spams > > Dan Mahoney, System Admin wrote: > > Hey all, > > > > I host about 500 domains, and every once in a while I see something where a > > domain gets hammered for a bunch of non-existent users (in my setup, this > > results in all the emails going to the same place). > > > > Is there a custom rule that can be kicked in to detect multiple recipients > > of the same email? > > > (snip) > > I haven't tried the custom rule approach, but I've found increasing success > with non SA methods.
Yes it's well worth looking at other methods. For example: http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html I don't use the above, but have set up something similar using exim. Sites I catch running dictionary attacks are restricted to a single connection to my mail servers. And are subject to progressively larger delays for every bad address they attempt to use. It does my heart good to see log lines similar to: 2005-02-07 19:45:03 H=(smtp.com) [217.158.171.56] I=[138.38.32.23]:25 F=<[EMAIL PROTECTED]> temporarily rejected RCPT <[EMAIL PROTECTED]>: 217.158.171.56 bad recipients 20, delay 30720 You'd think they'd notice the looong delays between RCPT TO commands being temporarily rejected. ... > I did switch one of the MX machines to postfix recently. Postfix includes the > ability to verify addresses prior to accepting mail, so dictionary attacks can > be identified right away. That really cuts down on the quantity of mail > sitting in the queue. You can do much the same with exim, depending on how you configure it. That's how I managed to implement the automatic tarpit described above. The OpenBSD operating system even comes with its own tarpitting daemon. It's called spamd, which can cause some confusion. From the man page: spamd is a fake sendmail(8)-like daemon which rejects false mail. If the pf(4) packet filter is configured to redirect port 25 (SMTP) to this dae- mon, it will attempt to waste the time and resources of the spam sender. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
