Re: Discovering users by RCPT TO

From: Faisal Khan (faisal_at_netxs.com.pk)
Date: 01/14/05

  • Next message: Gregory D. McPhee: "RE: DoS/DDoS Attack"
    Date: Fri, 14 Jan 2005 23:57:58 +0500
    To: pen-test@securityfocus.com
    
    

    Turning on Reverse DNS and Tarpitting helps for Dictionary Attacks.

    At 09:57 PM 1/14/2005, you wrote:
    >-----BEGIN PGP SIGNED MESSAGE-----
    >Hash: SHA1
    >
    >I see spammers hitting my MTA daily with dictionary RCTP TO queries
    >and there isn't much you can really do against it; however I have been
    >thinking about a solution using real time blockers.
    >
    >The idea is to monitor the logfile of the MTA, looking for a host
    >getting more than "X" failed destination addresses (I think 2 or 3 is
    >a nice entry threshold). Then when they reach the threshold their IP
    >gets put into a local DNS server that is used by the MTA to as a real
    >time blocker.
    >
    >This wouldn't' require more than another RBL addition to the MTA and
    >then an external script tied to either bind or djbdns.
    >
    >thoughts?
    >dmz
    >
    >Vince Hoang wrote:
    >
    >|On Thu, Jan 13, 2005 at 02:20:12PM -0500, Chris Buechler wrote:
    >|
    >|>I'd recommend disabling it unless you get flooded by such spam
    >|>attacks. I would probably consider it unnecessary information
    >|>disclosure, depending on the environment and reason (if any)
    >|>for doing it that way.
    >|
    >|
    >|Some MTAs allow permit you to drop the session after a certain
    >|number of failures, but that only slows down the dictionary
    >|attacks.
    >|
    >|You cannot disable RCPT TO because that is how the SMTP protocol
    >|designates the recipients.
    >|
    >|-Vince
    >|
    >|
    >|
    >-----BEGIN PGP SIGNATURE-----
    >Version: GnuPG v1.2.5 (GNU/Linux)
    >Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
    >
    >iD8DBQFB5/nolzAVE2tZub0RAm42AJ99EswcipKsDd3mn9fGo6623n9+HwCgv58+
    >XznoJeXySxmgJFxFmy9cBgg=
    >=/Zsq
    >-----END PGP SIGNATURE-----

    Faisal Khan, CEO
    Net Access Communication
    Systems (Private) Limited
    ________________________________

    Network Security - Secure Web Hosting
    Managed Internet Services - Secure Email
    Dedicated Servers - Reseller Hosting

    Visit www.netxs.com.pk for more information.


  • Next message: Gregory D. McPhee: "RE: DoS/DDoS Attack"