RE: spambots and dictionary attacks



Hi,

Most attacks these days seem (vastly) distributed, the most effective
thing I have found is to use grey listing as this stops 99%+ of botnets
dead, they simply do not re-try the connection later. Personally I have
found no other technique as effective.

regards

Steven Jones
Senior Linux/Unix/San System Administrator
APG -Technology Integration Team
Victoria University of Wellington
Phone: +64 4 463 6272 Mobile: +64 27 563 6272




-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Peter H. Lemieux
Sent: Tuesday, 21 November 2006 3:09 a.m.
To: rowland onobrauche
Cc: focus-linux@xxxxxxxxxxxxxxxxx
Subject: Re: spambots and dictionary attacks

rowland onobrauche wrote:

I would like to hear from anyone that has successfully blocked
spambots or dictionary attacks without the need of another server
in between your mailserver and the senders.

Peter H. Lemieux wrote:
The only effective solution I've found in these cases is to
maintain a whitelist of the valid addresses for the domains I
manage and block the rest.
[...]
If all the mail for a domain is routed to a single mailbox, you can
implement whitelisting with a bunch of procmail rules in the
mailbox owner's .procmailrc.

Many thanks Peter.
Im familiar with procmail, but im looking for a way of blocking the
connection before the smtp commands have even got to the DATA stage.

Dear Rowland,

At the SMTP level I use the excellent store-and-forward smtp daemon
written by Obtuse Systems in the mid 1990's and released under an
open-source license. They no longer maintain the code, but it has been
taken over by a volunteer and is listed on Freshmeat
http://freshmeat.net/projects/smtpd-sd/.

This daemon allows you to write rules based on the server's sender IP
and
reverse-hostname and the MAIL FROM and RCPT TO addresses in the SMTP
exchange. So I maintain client whitelists by including a set of rules
allowing the valid addresses through and denying the rest. (It also
runs
in a chrooted environment for additional security.)

I didn't mention this approach because you ruled out solutions that
might
require another server. It is possible to use smtpd on the same server
as your MTA, but it takes a bit of work. I don't use exim so I don't
know how easy this would be for you.

All my incoming mail arrives on the server running smtpd which then
forwards the permitted traffic on to my scanning server (running
MailScanner, ClamAV and SpamAssassin). This has worked quite well over
a
period of years.

I suggested the procmail approach because it wasn't clear how much
control you had over the server (is it yours?). The procmail solution
would work even in a hosted environment, while you'd obviously need to
be
the server's owner to change the smtp daemon and MTA.

Peter



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



Relevant Pages

  • Re: spambots and dictionary attacks
    ... Most attacks these days seem distributed, ... Steven Jones Senior Linux/Unix/San System Administrator APG ... another server in between your mailserver and the senders. ... At the SMTP level I use the excellent store-and-forward smtp daemon ...
    (Focus-Linux)
  • Re: starwreck
    ... web browsing and email are still very vulnerable -- email because it includes automatic forwards, causing it to act like a push service in every sense except the IP layer; web because most clients are rich (causing them to be especially vulnerable to attacks) and because cross-site scripting can allow deliberately accessed machines to be used to launch attacks on behalf of third parties. ... I can absolutely guarentee the intergerty of POP and SMTP software if I must, ... Well, perhaps I'm paranoid,, Perhaps I have a history of ticking off 14 year old hackers (and trust me, they did sure try to get me, failed miserably because I had very solid security but they did over 2,000 in damage to a server in the process, This server happed to belong to an internet security company.. ...
    (rec.music.filk)
  • Re: spambots and dictionary attacks
    ... in between your mailserver and the senders. ... Im familiar with procmail, but im looking for a way of blocking the ... At the SMTP level I use the excellent store-and-forward smtp daemon written by Obtuse Systems in the mid 1990's and released under an open-source license. ... I didn't mention this approach because you ruled out solutions that might require another server. ...
    (Focus-Linux)
  • Re: Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Bugtraq)
  • RE: VmWare and Pen-test Learning
    ... Setup a tftp server on your client machine. ... Use John the Ripper to crack the passwords. ... (dictionary attacks, brute force, single mode). ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)