David Legg wrote:
Mucking about with iptables always brings me out in a cold sweat... one
slip and you can be locked out of a remote server :-)
Hehe I know the feeling;)
I'm not sure if it would be effective though if a spambot stays
connected while doing a dictionary attack or while it tries to relay
several hundred emails once it has cracked an account. For that, James
itself would have to keep count of the number of commands executed and
force a disconnect after some threshold is reached.
Usually a few seconds timeout is just fine protection against bruteforce
attacks. It may not be as good against dictionary attacks, but its up to
admin to disallow weak passwords.
So IMHO auth handler should just sleep a a bit after unsucessfull auth.
Then again, that's why attacker does not wait for the response, he just
opens another socket and tries again:) And thats where the iptables
trick kick in;)
Once cracked, well, theres not much protection agains that.
FTR I see there's some sleep interval in RCPT handler...
You seem to be suggesting that the same IP address is connecting a lot
of times.
Right. Seems like someone modified ssh attack to smtp:)
If I were a spambot writer I would be trying to get as many
messages relayed as possible and re-connecting each time I tested a
password or sent a message would get in the way of that.
Sure. Just dont tell them that;)
Regards...
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
