Re: [exim] DOS attack. What to do?

Wed, 26 Jul 2006 03:41:15 -0700 

Hi !!

>> from my experience in similar situations what helped in
>> having situation under control was examining the logs to
>> find common patterns (helo, sender addresses, recipients,
>> etc ...) and then build new acl rules to reject that attempts
>> as fast as possible, if possible avoiding dns and/or database
>> lookups and callouts.
> 
> DNS for sure, and RBL sometimes, are faster than you might think.

not faster enough to survive a massive virus attack, at least
not in my case, but that's just my experience and it does not
mean that it must be good on all situations.

>> with "deny local_parts = fred:mary:.." wihtout having to
>> do a "verify = recipient" (which will take more cpu)
> 
> Surely you jest?

yes.

> Putting multi-brazillons of dictionery-created non-existent local parts into 
> *any of* an acl (hard-wired) or as a lookup of a local flat file, db/cdb 
> file, 
> or SQL RDBMS is simply not on, admin-wise and gets slower as it grows.

stop. i'm talking about commonly used names, not random names.
If you get thounsands of emails for [EMAIL PROTECTED] and you don't have
such this address is very much faster "deny local_parts = mary" than
"verify = recipient", that's why the first thing that i said is that
one should examine logs and find common patterns.

In the other hand such this random generated addresses could be
catch by a regex just testing for many consecutive consonants (just one
more than the maximun number of consecutive consonants from your user
with more consecutive consonants), that will catch a lot of them.

-- 
Best regards ...

----------------------------------------------------------------
    David Saez Padros                http://www.ols.es
    On-Line Services 2000 S.L.       e-mail  [EMAIL PROTECTED]
    Pintor Vayreda 1                 telf    +34 902 50 29 75
    08184 Palau-Solita i Plegamans   movil   +34 670 35 27 53
----------------------------------------------------------------



-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Reply via email to