Focus on Linux
RE: spambots and dictionary attacks Nov 20 2006 11:17PM
Steven Jones (Steven Jones vuw ac nz) (2 replies)
Re: spambots and dictionary attacks Nov 22 2006 08:36AM
rowland onobrauche (rowland onobrauche legendplc com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Jones wrote:

> Hi,
>
> Most attacks these days seem (vastly) distributed, the most
> effective thing I have found is to use grey listing as this stops
> 99%+ of botnets dead, they simply do not re-try the connection
> later. Personally I have found no other technique as effective.
>
> regards
>
> Steven Jones Senior Linux/Unix/San System Administrator APG
> -Technology Integration Team Victoria University of Wellington
> Phone: +64 4 463 6272 Mobile: +64 27 563 6272
>
>
>
>
> -----Original Message----- From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Peter H. Lemieux
> Sent: Tuesday, 21 November 2006 3:09 a.m. To: rowland onobrauche
> Cc: focus-linux (at) securityfocus (dot) com [email concealed] Subject: Re: spambots and
> dictionary attacks
>
>>> rowland onobrauche wrote:
>
>
>>>> I would like to hear from anyone that has successfully
>>>> blocked spambots or dictionary attacks without the need of
>>>> another server in between your mailserver and the senders.
>
>
>>> Peter H. Lemieux wrote: The only effective solution I've found
>>> in these cases is to maintain a whitelist of the valid
>>> addresses for the domains I manage and block the rest.
>
>>> [...] If all the mail for a domain is routed to a single
>>> mailbox, you can implement whitelisting with a bunch of
>>> procmail rules in the mailbox owner's .procmailrc.
>
>> Many thanks Peter. Im familiar with procmail, but im looking for
>> a way of blocking the connection before the smtp commands have
>> even got to the DATA stage.
>
>
> Dear Rowland,
>
> At the SMTP level I use the excellent store-and-forward smtp daemon
> written by Obtuse Systems in the mid 1990's and released under an
> open-source license. They no longer maintain the code, but it has
> been taken over by a volunteer and is listed on Freshmeat
> http://freshmeat.net/projects/smtpd-sd/.
>
> This daemon allows you to write rules based on the server's sender
> IP and reverse-hostname and the MAIL FROM and RCPT TO addresses in
> the SMTP exchange. So I maintain client whitelists by including a
> set of rules allowing the valid addresses through and denying the
> rest. (It also runs in a chrooted environment for additional
> security.)
>
> I didn't mention this approach because you ruled out solutions that
> might require another server. It is possible to use smtpd on the
> same server as your MTA, but it takes a bit of work. I don't use
> exim so I don't know how easy this would be for you.
>
> All my incoming mail arrives on the server running smtpd which then
> forwards the permitted traffic on to my scanning server (running
> MailScanner, ClamAV and SpamAssassin). This has worked quite well
> over a period of years.
>
> I suggested the procmail approach because it wasn't clear how much
> control you had over the server (is it yours?). The procmail
> solution would work even in a hosted environment, while you'd
> obviously need to be the server's owner to change the smtp daemon
> and MTA.
>
> Peter
>
>
>
Thanks to all that replied with suggestions.
Firstly i will try out Steven Jones's suggestion of greylisting before
working backwords on other suggestions.
Also thanks to Andres Figari, Peter H Lemieux, Greg Metcalfe, Michael
Scheidell, and Hans Walters.
Your suggestions have been most useful.

regards
rowland

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFZAwnn71Wg8vs0SURAnvrAKCRBPsPa8BtDYKO8vvGcxz08NtK2QCfbuah
gx5YiKYKuLOGYaboDXD6zxI=
=l121
-----END PGP SIGNATURE-----

[ reply ]
Re: spambots and dictionary attacks Nov 21 2006 11:04PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
Re: spambots and dictionary attacks Nov 22 2006 05:30PM
Kurt Seifried (bt seifried org) (2 replies)
Re: spambots and dictionary attacks Nov 23 2006 06:01PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
Re: spambots and dictionary attacks Nov 23 2006 05:40PM
Devdas Bhagat (devdas dvb homelinux org)


 

Privacy Statement
Copyright 2010, SecurityFocus