reporting dictionary attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,
A few more thoughts on the dictionary attack.  My earlier post was CCed to
Greg himself so he'd hopefully get the information sooner, since this list
is taking a long time to send out messages, mine anyway!
I'm surprised smtp servers aren't taking this matter into their own hands.
It seems to me that for such an attack, there could be several solutions.
Firstly, the server could, upon noticing many invalid address requests from
the same ip or group of ips, simply block those ips for a while.  When they
connect, just either immediately disconnect them, or give some error and
disconnect.  Or even better, make them wait a few seconds before kicking
them off.
Another solution would be to start delaying responses to invalid requests.
E.G. after ten invalids, delay the next few 550s by one second.  Then 2
seconds.  Then 5 seconds.  Then 10 seconds.  and so on.
Another idea would be to have the server actually appear to accept mail for
a nonexistant account, when it figures out that these guys are doing a
dictionary attack.  Such messages might get sent to either root or some
other account set up for such messages.
Also, I'm assuming a dictionary attack is something like, for example,
somebody trying to send, in rapid succession, to dentist at yourdomain.com
health at yourdomain.com baseball at yourdomain.com apple at yourdomain.com
freezer at yourdomain.com failure at yourdomain.com toothbrush at yourdomain.com
shaver at yourdomain.com barbershop at yourdomain.com chocolate at yourdomain.com
central at yourdomain.com running at yourdomain.com etc.  Is this right?
Jayson.

----- Original Message -----
From: "Gregory Nowak" <greg@xxxxxxxxxxxxxxxxxx>
To: <speakup at braille.uwo.ca>
Sent: Sunday, June 20, 2004 4:39 PM
Subject: reporting dictionary attacks


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all.
>
> I've been watching via my logs an email dictionary attack against a
> domain I host for the last 5 hours now, and still going strong as I
> write this.
>
> Unfortunately, looking at spamcop.net seems to indicate that you can
> only report spam through them that came to legitimate email
> accounts. So, is there a way for me to report a dictionary attack
> somewhere? It's really pissing me off that I have my out-bound port 25
> blocked, and have to relay because of people like this, while some
> damned bastard has their out-bound smtp opened by their ISP, which
> they obviously don't deserve to have.
>
> Greg
>
>
> - --
> Free domains: http://www.eu.org/ or mail dns-manager at EU.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
>
> iD8DBQFA1fX97s9z/XlyUyARAl5qAKDZvExjBEw5aaSCybl3zFj3gfQslgCgxGz0
> Sf76jZpJPpqy7zBqqeihNfQ=
> =du7E
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>





[Index of Archives]     [Linux for the Blind]     [Fedora Discussioin]     [Linux Kernel]     [Yosemite News]     [Big List of Linux Books]
  Powered by Linux