From: dmz (dmz@dmzs.com)
Date: Fri Jan 14 2005 - 11:57:12 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I see spammers hitting my MTA daily with dictionary RCTP TO queries
and there isn't much you can really do against it; however I have been
thinking about a solution using real time blockers.
The idea is to monitor the logfile of the MTA, looking for a host
getting more than "X" failed destination addresses (I think 2 or 3 is
a nice entry threshold). Then when they reach the threshold their IP
gets put into a local DNS server that is used by the MTA to as a real
time blocker.
This wouldn't' require more than another RBL addition to the MTA and
then an external script tied to either bind or djbdns.
thoughts?
dmz
Vince Hoang wrote:
|On Thu, Jan 13, 2005 at 02:20:12PM -0500, Chris Buechler wrote:
|
|>I'd recommend disabling it unless you get flooded by such spam
|>attacks. I would probably consider it unnecessary information
|>disclosure, depending on the environment and reason (if any)
|>for doing it that way.
|
|
|Some MTAs allow permit you to drop the session after a certain
|number of failures, but that only slows down the dictionary
|attacks.
|
|You cannot disable RCPT TO because that is how the SMTP protocol
|designates the recipients.
|
|-Vince
|
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB5/nolzAVE2tZub0RAm42AJ99EswcipKsDd3mn9fGo6623n9+HwCgv58+
XznoJeXySxmgJFxFmy9cBgg=
=/Zsq
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:13 EDT