>Lately I've been seeing a lot of attempts at harvesting a mail server >directory in my postfix mail log .. like 500 bounced messages to slightly >similar addresses ([EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], >etc). I've been trying to find a way to detected and stop (preferably in >real time) these attempts at directory harvesting.
The first defense is to setup smtpd restriction of check_recipient_maps where you have defined relay_recipient_maps = a file of your known users >I saw in a post from a >while ago, Len said he got postfix to block DHAs with a combination of >filters the above is the best one >, so I'm optimistic that there is a solution. I've explored using >smtp_soft_error = 2 >, smtp_hard_error = 2 >r, etc directives but I found that it didn't >discourage people on a per-session/client basis when there was a problem but it tarpits them by hanging up on them. also smtpd_junk_command_limit = 1 smtpd_error_sleep_time = 0 The above won't stop the attack, but it minimizes even a very high volume attack's effect on IMGate to insignificance, making IMGate non-DoSable. I've seen an 800 Mhz IMGate reject unknown users at nearly 10 rejects per second with no loading of IMGate at all. IIRC, one hour was over 50K rejects to unknown users. IMGate didn't break a sweat. > ... it made my postfix box disconnect EVERYONE after a certain amount of >errors were reached. That's not a problem. No legit server should be making 3 errors per SMTP session. If they do, they deserve to be cutoff. >Anyhow, if someone could give me some pointers on how >to stop these wankers, I'd be much appreciative :) Thanks in Advance. Rejecting unknown users is best, but then you could be still allowing the harvesters accidental hits on known users to get through. To escalate from blocking unknown users to blocking by IPs that send to unknown users requires counting up, over a period, the unknown user rejects by IP to be above a threshold, and then adding the IP to an mta_clients.map file. Setting the period and the threshold is kinda tricky, and needs tuning. The easiest IP blocking is one IP is attacking in high volumes. If the attack is coming from 100 or 1000's of IPs, then period + threshold can be too high to catch a single IP. But then do you check for just one period or multiple periods of varying length? check every 5 minutes per this hour, check every hour per today, check once/day for last 3 days, per week? Do you automatically block all IPs or just IPs with no PTR? But, so what if a spammer harvests a few, or many, or all, of your names? It really isn't a problem due to improvements in postfix UCE in the last year. So now they start sending to your valid users, but they still have to get past all your other non_user filtering which is still a formidable obstacle course that we know is very effective. If your are already successfully blocking 90+% of spam to your known users, what difference does it make whether the spammer learned the name from a dictionary attack or from a list archive, or wherever else? Knowing a valid recipient is not sufficient to deliver spam to that recipient. The real vulnerability for dictionary attacks is whether the volume of the attack DoSes the MX. I just heard that Exchange does per-domain acceptance of inbound and then rejects bounces the message in later step. MS really doesn't "get" Internet. Dictionary attacks are why Imail nobody@ aliases are evil. If you aren't blocking unknown users at IMGate with check_recipient_maps and are accepting per-domain, then your IMGate is easily vulnerable to being DoSed by the mailbox server bouncing the unknown recipients. Len
