Hi, A few more thoughts on the dictionary attack. My earlier post was CCed to Greg himself so he'd hopefully get the information sooner, since this list is taking a long time to send out messages, mine anyway! I'm surprised smtp servers aren't taking this matter into their own hands. It seems to me that for such an attack, there could be several solutions. Firstly, the server could, upon noticing many invalid address requests from the same ip or group of ips, simply block those ips for a while. When they connect, just either immediately disconnect them, or give some error and disconnect. Or even better, make them wait a few seconds before kicking them off. Another solution would be to start delaying responses to invalid requests. E.G. after ten invalids, delay the next few 550s by one second. Then 2 seconds. Then 5 seconds. Then 10 seconds. and so on. Another idea would be to have the server actually appear to accept mail for a nonexistant account, when it figures out that these guys are doing a dictionary attack. Such messages might get sent to either root or some other account set up for such messages. Also, I'm assuming a dictionary attack is something like, for example, somebody trying to send, in rapid succession, to dentist at yourdomain.com health at yourdomain.com baseball at yourdomain.com apple at yourdomain.com freezer at yourdomain.com failure at yourdomain.com toothbrush at yourdomain.com shaver at yourdomain.com barbershop at yourdomain.com chocolate at yourdomain.com central at yourdomain.com running at yourdomain.com etc. Is this right? Jayson. ----- Original Message ----- From: "Gregory Nowak" <greg@xxxxxxxxxxxxxxxxxx> To: <speakup at braille.uwo.ca> Sent: Sunday, June 20, 2004 4:39 PM Subject: reporting dictionary attacks > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all. > > I've been watching via my logs an email dictionary attack against a > domain I host for the last 5 hours now, and still going strong as I > write this. > > Unfortunately, looking at spamcop.net seems to indicate that you can > only report spam through them that came to legitimate email > accounts. So, is there a way for me to report a dictionary attack > somewhere? It's really pissing me off that I have my out-bound port 25 > blocked, and have to relay because of people like this, while some > damned bastard has their out-bound smtp opened by their ISP, which > they obviously don't deserve to have. > > Greg > > > - -- > Free domains: http://www.eu.org/ or mail dns-manager at EU.org > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (GNU/Linux) > > iD8DBQFA1fX97s9z/XlyUyARAl5qAKDZvExjBEw5aaSCybl3zFj3gfQslgCgxGz0 > Sf76jZpJPpqy7zBqqeihNfQ= > =du7E > -----END PGP SIGNATURE----- > > _______________________________________________ > Speakup mailing list > Speakup at braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup >
