-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Jun 20, 2004 at 06:18:36PM -0400, Jayson Smith wrote: > I'm surprised smtp servers aren't taking this matter into their own hands. > It seems to me that for such an attack, there could be several solutions. > Firstly, the server could, upon noticing many invalid address requests from > the same ip or group of ips, simply block those ips for a while. When they > connect, just either immediately disconnect them, or give some error and > disconnect. Or even better, make them wait a few seconds before kicking > them off. See my previous post. I am already using several black lists to reject mail from IP address known to be open relays or spammers, and this rejection takes place even before the smtp transaction even starts. I think I'll look at implementing a dynamic IP black list too. I used to think that my ISP's out-bound smtp blocking policy was unreasonable, especially for static IP customers, but I think I'm coming around to their side. It's just too bad that the internet gets ruined for innocent folks in the process. > Another solution would be to start delaying responses to invalid requests. > E.G. after ten invalids, delay the next few 550s by one second. Then 2 > seconds. Then 5 seconds. Then 10 seconds. and so on. I've got reasons against doing tarpitting, which is what you're describing. These reasons are in the same family with the reasons for why no ISP should be doing out-bound SMTP blocking. They might change. > Another idea would be to have the server actually appear to accept mail for > a nonexistant account, when it figures out that these guys are doing a > dictionary attack. Such messages might get sent to either root or some > other account set up for such messages. See my previous post. > Also, I'm assuming a dictionary attack is something like, for example, > somebody trying to send, in rapid succession, to dentist at yourdomain.com Yes, accept that they're not always in alphabetical order, and sometimes, like now, aren't proper English words. Greg - -- Free domains: http://www.eu.org/ or mail dns-manager at EU.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFA1inM7s9z/XlyUyARAgqsAJ9wXpi8z5T2cIEonMjN146y0Se0HQCeOV/W 0GoSWxt4hQ4TGJCmLHsl8mI= =yzCt -----END PGP SIGNATURE-----
