Focus on Linux
RE: spambots and dictionary attacks Nov 20 2006 11:17PM
Steven Jones (Steven Jones vuw ac nz) (2 replies)
Re: spambots and dictionary attacks Nov 22 2006 08:36AM
rowland onobrauche (rowland onobrauche legendplc com)
Hash: SHA1

Steven Jones wrote:

> Hi,
> Most attacks these days seem (vastly) distributed, the most
> effective thing I have found is to use grey listing as this stops
> 99%+ of botnets dead, they simply do not re-try the connection
> later. Personally I have found no other technique as effective.
> regards
> Steven Jones Senior Linux/Unix/San System Administrator APG
> -Technology Integration Team Victoria University of Wellington
> Phone: +64 4 463 6272 Mobile: +64 27 563 6272
> -----Original Message----- From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Peter H. Lemieux
> Sent: Tuesday, 21 November 2006 3:09 a.m. To: rowland onobrauche
> Cc: focus-linux (at) securityfocus (dot) com [email concealed] Subject: Re: spambots and
> dictionary attacks
>>> rowland onobrauche wrote:
>>>> I would like to hear from anyone that has successfully
>>>> blocked spambots or dictionary attacks without the need of
>>>> another server in between your mailserver and the senders.
>>> Peter H. Lemieux wrote: The only effective solution I've found
>>> in these cases is to maintain a whitelist of the valid
>>> addresses for the domains I manage and block the rest.
>>> [...] If all the mail for a domain is routed to a single
>>> mailbox, you can implement whitelisting with a bunch of
>>> procmail rules in the mailbox owner's .procmailrc.
>> Many thanks Peter. Im familiar with procmail, but im looking for
>> a way of blocking the connection before the smtp commands have
>> even got to the DATA stage.
> Dear Rowland,
> At the SMTP level I use the excellent store-and-forward smtp daemon
> written by Obtuse Systems in the mid 1990's and released under an
> open-source license. They no longer maintain the code, but it has
> been taken over by a volunteer and is listed on Freshmeat
> This daemon allows you to write rules based on the server's sender
> IP and reverse-hostname and the MAIL FROM and RCPT TO addresses in
> the SMTP exchange. So I maintain client whitelists by including a
> set of rules allowing the valid addresses through and denying the
> rest. (It also runs in a chrooted environment for additional
> security.)
> I didn't mention this approach because you ruled out solutions that
> might require another server. It is possible to use smtpd on the
> same server as your MTA, but it takes a bit of work. I don't use
> exim so I don't know how easy this would be for you.
> All my incoming mail arrives on the server running smtpd which then
> forwards the permitted traffic on to my scanning server (running
> MailScanner, ClamAV and SpamAssassin). This has worked quite well
> over a period of years.
> I suggested the procmail approach because it wasn't clear how much
> control you had over the server (is it yours?). The procmail
> solution would work even in a hosted environment, while you'd
> obviously need to be the server's owner to change the smtp daemon
> and MTA.
> Peter
Thanks to all that replied with suggestions.
Firstly i will try out Steven Jones's suggestion of greylisting before
working backwords on other suggestions.
Also thanks to Andres Figari, Peter H Lemieux, Greg Metcalfe, Michael
Scheidell, and Hans Walters.
Your suggestions have been most useful.


Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora -


[ reply ]
Re: spambots and dictionary attacks Nov 21 2006 11:04PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
Re: spambots and dictionary attacks Nov 22 2006 05:30PM
Kurt Seifried (bt seifried org) (2 replies)
Re: spambots and dictionary attacks Nov 23 2006 06:01PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
Re: spambots and dictionary attacks Nov 23 2006 05:40PM
Devdas Bhagat (devdas dvb homelinux org)


Privacy Statement
Copyright 2010, SecurityFocus