Re: how to protect against directory attack?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On 22/6/10 0:01, mouss wrote: motty.cruz a écrit : Hello all, What is the best way to protect against directory attack? [snip] how about: don't care? # postlog.pl Recipient unknown..: 58.35 % ... it's been so since a long time and the world didn't collapse here. If you manage to cut them before they hit any real address you avoid crud entering your user's mailboxes. We have a testing list with a funny familiar Spanish name (that is in dictionaries for sure) but it is not published anywhere and sends nothing to the outside world, and we are getting spam in the moderation queue of the thing! - -- Victoriano Giralt Systems Manager Central ICT Services University of Malaga SPAIN -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFMIFXIV6+mDjj1PTgRAxAWAKDIHRH5xP//ggjgPOm3E2+To84G3QCgqZYS zpelRamPnD7mQCSYlQC79W4= =wS31 -END PGP SIGNATURE-
Re: how to protect against directory attack?
On 2010-06-22 2:18 AM, Victoriano Giralt wrote: If you manage to cut them before they hit any real address you avoid crud entering your user's mailboxes. It's called recipient validation, and if you aren't doing it, you're doing it wrong. We have a testing list with a funny familiar Spanish name (that is in dictionaries for sure) but it is not published anywhere and sends nothing to the outside world, and we are getting spam in the moderation queue of the thing! So add a spam filter. Just because an address isn't published anywhere doesn't mean it won't be targeted.
Re: how to protect against directory attack?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On 22/6/10 12:54, Charles Marcus wrote: On 2010-06-22 2:18 AM, Victoriano Giralt wrote: If you manage to cut them before they hit any real address you avoid crud entering your user's mailboxes. It's called recipient validation, and if you aren't doing it, you're doing it wrong. We DO recipient validation. I'm talking about cutting off the client before they hit a good one. The point I was making is that if you use something like fail2ban that detect an IP address that is doing a dictionary attack, and block the connection you reduce the probability of finding a recipient that will get validated. So add a spam filter. Just because an address isn't published anywhere doesn't mean it won't be targeted. I know that, been doing email since '85. We are not allowed to filter mail (except viruses) by policy. So we need other anti spam meassures, once we accept mail we MUST deliver it (except for viruses). - -- Victoriano Giralt Systems Manager Central ICT Services University of Malaga SPAIN -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFMILDEV6+mDjj1PTgRA7z+AJ9im1gf2OjB8QAc04d1E75KeYy81gCfQYK4 bcEK8CuxTp5Vn2tVMIEHvPg= =Ueyp -END PGP SIGNATURE-
Re: how to protect against directory attack?
On 2010-06-22 8:47 AM, Victoriano Giralt wrote: On 22/6/10 12:54, Charles Marcus wrote: On 2010-06-22 2:18 AM, Victoriano Giralt wrote: If you manage to cut them before they hit any real address you avoid crud entering your user's mailboxes. We DO recipient validation. I'm talking about cutting off the client before they hit a good one. The point I was making is that if you use something like fail2ban that detect an IP address that is doing a dictionary attack, and block the connection you reduce the probability of finding a recipient that will get validated. Ahh... you are attempting to hide your valid recipients. Security through obscurity is a waste of time and resources imo. I use fail2ban, but only to block hack attempts... I don't care much about someone finding out who the valid recipients are, I'm much more concerned with someone trying to crack a password... We are not allowed to filter mail (except viruses) by policy. So we need other anti spam meassures, once we accept mail we MUST deliver it (except for viruses). That's what I meant - add an after-queue filter and TAG+Deliver it. Use sieve to deliver it to a Spam folder if desired. -- Best regards, Charles
Re: how to protect against directory attack?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On 22/6/10 16:47, Charles Marcus wrote: We DO recipient validation. I'm talking about cutting off the client before they hit a good one. The point I was making is that if you use something like fail2ban that detect an IP address that is doing a dictionary attack, and block the connection you reduce the probability of finding a recipient that will get validated. Ahh... you are attempting to hide your valid recipients. Security through obscurity is a waste of time and resources imo. No. I think I'm not making the point through. It is cler we are in the same boat, I also despise security by obscrity. I use fail2ban, but only to block hack attempts... I don't care much about someone finding out who the valid recipients are, I'm much more concerned with someone trying to crack a password... Sure! But, once we have fail2ban in place, and watching over the logs, it cost nothing to stop someone running a list trying to deliver some crud. I compare this to the SSH attacks: nowadays is not safe to have passwords for SSH authentication, but that does not preclude cutting access of list attackers with the likes of fail2ban so they do not lock resources like TCP sockets or CPU cycles, or generate too much noise in the logs. That's what I meant - add an after-queue filter and TAG+Deliver it. Use sieve to deliver it to a Spam folder if desired. Agreed. Deciding on content should be on the hands of users, but, please, do not start a flame over this. It will depart from the OP question. - -- Victoriano Giralt Systems Manager Central ICT Services University of Malaga SPAIN -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFMINCWV6+mDjj1PTgRAy8ZAJ4iV4chx6byB5BUd8ieho/yIBTLPACcDuu6 8YZzJL71nzV1A1WfFmlCaGE= =kTnF -END PGP SIGNATURE-
Re: how to protect against directory attack?
Victoriano Giralt a écrit : On 22/6/10 12:54, Charles Marcus wrote: On 2010-06-22 2:18 AM, Victoriano Giralt wrote: If you manage to cut them before they hit any real address you avoid crud entering your user's mailboxes. It's called recipient validation, and if you aren't doing it, you're doing it wrong. We DO recipient validation. I'm talking about cutting off the client before they hit a good one. The point I was making is that if you use something like fail2ban that detect an IP address that is doing a dictionary attack, and block the connection you reduce the probability of finding a recipient that will get validated. I don't believe in that. a motivated spammer can get around fail2ban and the like. such a spammer has enough IPs, networks, ... not only can they try different addresses from different IPs, but they can even do advanced analysis, which we can't. here is what I've seen: - spam from random places to random addresses. - snowshoe spam to _valid_ addresses. So add a spam filter. Just because an address isn't published anywhere doesn't mean it won't be targeted. I know that, been doing email since '85. We are not allowed to filter mail (except viruses) by policy. So we need other anti spam meassures, once we accept mail we MUST deliver it (except for viruses). we agree on the result: while I am allowed to filter mail, I prefer to block it as soon as possible (and I'm not a member of the plan for spam religion :)
how to protect against directory attack?
Hello all, What is the best way to protect against directory attack? Below is my log file and postconf -n! Thanks in advance! Jun 21 12:39:06 machine1 postfix/smtpd[72653]: lost connection after RCPT from unknown[178.122.29.134] Jun 21 12:39:06 machine1 postfix/smtpd[72653]: disconnect from unknown[178.122.29.134] Jun 21 12:39:45 machine1 postfix/smtpd[72653]: connect from ppp-94-69-7-127.home.otenet.gr[94.69.7.127] Jun 21 12:39:46 machine1 postfix/smtpd[72653]: NOQUEUE: reject: RCPT from ppp-94-69-7-127.home.otenet.gr[94.69.7.127]: 550 5.1.1 frank...@domain.com: Recipient address rejected: User unknown in local recipient table; from=toot...@reflexa ngelo.com to=frank...@domain.com proto=ESMTP helo=ppp-94-69-8-89.home.otenet.gr Jun 21 12:39:46 machine postfix/smtpd[72653]: NOQUEUE: reject: RCPT from ppp-94-69-7-127.home.otenet.gr[94.69.7.127]: 550 5.1.1 fraz...@domain.com: Recipient address rejected: User unknown in local recipient table; from=toot...@reflexan gelo.com to=fraz...@domain.com proto=ESMTP helo=ppp-94-69-8-89.home.otenet.gr Jun 21 12:39:46 machine postfix/smtpd[72653]: NOQUEUE: reject: RCPT from ppp-94-69-7-127.home.otenet.gr[94.69.7.127]: 550 5.1.1 free...@domain.com: Recipient address rejected: User unknown in local recipient table; from=toot...@reflexan gelo.com to=free...@domain.com proto=ESMTP helo=ppp-94-69-8-89.home.otenet.gr Jun 21 12:39:47 machine1 postfix/smtpd[72653]: NOQUEUE: reject: RCPT from ppp-94-69-7-127.home.otenet.gr[94.69.7.127]: 550 5.1.1 frank...@domain.com: Recipient address rejected: User unknown in local recipient table; from=smilingg...@rdcfinehomes.com to=frank...@domain.com proto=ESMTP helo=ppp-94-69-8-89.home.otenet.gr Machine1# postconf -n alias_database = hash:/usr/local/etc/postfix/aliases alternate_config_directories = /usr/local/etc/postfix-out anvil_rate_time_unit = 2s biff = no command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no in_flow_delay = 1s local_recipient_maps = hash:/usr/local/etc/postfix/userdb, hash:/usr/local/etc/postfix/uservirt mail_owner = postfix mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man message_size_limit = 5000 mydestination = domain.com, domain2.com, domain3.com myhostname = machine1.domain.com mynetworks = 127.0.0.0/8, myorigin = domain.com newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_banner = machine.domain.com smtpd_client_restrictions = hash:/usr/local/etc/postfix/access smtpd_error_sleep_time = 0 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,reject_invalid_hostname, reject_non_fqdn_hostname,reject_non_fqdn_sender, reject_non_fqdn_recipient,reject_unknown_sender_domain, reject_unknown_recipient_domain, smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender,permit_mynetworks unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 unverified_sender_reject_code = 550 -Motty
Re: how to protect against directory attack?
On Mon, Jun 21, 2010 at 3:59 PM, motty.cruz motty.c...@gmail.com wrote: Hello all, What is the best way to protect against directory attack? Below is my log file and postconf -n! Thanks in advance! Jun 21 12:39:06 machine1 postfix/smtpd[72653]: lost connection after RCPT from unknown[178.122.29.134] Jun 21 12:39:06 machine1 postfix/smtpd[72653]: disconnect from unknown[178.122.29.134] Jun 21 12:39:45 machine1 postfix/smtpd[72653]: connect from ppp-94-69-7-127.home.otenet.gr[94.69.7.127] Jun 21 12:39:46 machine1 postfix/smtpd[72653]: NOQUEUE: reject: RCPT from ppp-94-69-7-127.home.otenet.gr[94.69.7.127]: 550 5.1.1 frank...@domain.com: Recipient address rejected: User unknown in local recipient table; from=toot...@reflexa ngelo.com to=frank...@domain.com proto=ESMTP helo=ppp-94-69-8-89.home.otenet.gr Jun 21 12:39:46 machine postfix/smtpd[72653]: NOQUEUE: reject: RCPT from ppp-94-69-7-127.home.otenet.gr[94.69.7.127]: 550 5.1.1 fraz...@domain.com: Recipient address rejected: User unknown in local recipient table; from=toot...@reflexan gelo.com to=fraz...@domain.com proto=ESMTP helo=ppp-94-69-8-89.home.otenet.gr Jun 21 12:39:46 machine postfix/smtpd[72653]: NOQUEUE: reject: RCPT from ppp-94-69-7-127.home.otenet.gr[94.69.7.127]: 550 5.1.1 free...@domain.com: Recipient address rejected: User unknown in local recipient table; from=toot...@reflexan gelo.com to=free...@domain.com proto=ESMTP helo=ppp-94-69-8-89.home.otenet.gr Jun 21 12:39:47 machine1 postfix/smtpd[72653]: NOQUEUE: reject: RCPT from ppp-94-69-7-127.home.otenet.gr[94.69.7.127]: 550 5.1.1 frank...@domain.com: Recipient address rejected: User unknown in local recipient table; from=smilingg...@rdcfinehomes.com to=frank...@domain.com proto=ESMTP helo=ppp-94-69-8-89.home.otenet.gr Machine1# postconf -n alias_database = hash:/usr/local/etc/postfix/aliases alternate_config_directories = /usr/local/etc/postfix-out anvil_rate_time_unit = 2s biff = no command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no in_flow_delay = 1s local_recipient_maps = hash:/usr/local/etc/postfix/userdb, hash:/usr/local/etc/postfix/uservirt mail_owner = postfix mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man message_size_limit = 5000 mydestination = domain.com, domain2.com, domain3.com myhostname = machine1.domain.com mynetworks = 127.0.0.0/8, myorigin = domain.com newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_banner = machine.domain.com smtpd_client_restrictions = hash:/usr/local/etc/postfix/access smtpd_error_sleep_time = 0 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, permit_mynetworks unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 unverified_sender_reject_code = 550 -Motty Have you checked fail2ban?
Re: how to protect against directory attack?
On 6/21/2010 3:59 PM, motty.cruz wrote: Hello all, What is the best way to protect against directory attack? Below is my log file and postconf -n! Thanks in advance! Jun 21 12:39:06 machine1 postfix/smtpd[72653]: lost connection after RCPT from unknown[178.122.29.134] Jun 21 12:39:06 machine1 postfix/smtpd[72653]: disconnect from unknown[178.122.29.134] Jun 21 12:39:45 machine1 postfix/smtpd[72653]: connect from ppp-94-69-7-127.home.otenet.gr[94.69.7.127] Jun 21 12:39:46 machine1 postfix/smtpd[72653]: NOQUEUE: reject: RCPT from ppp-94-69-7-127.home.otenet.gr[94.69.7.127]: 550 If you can use and abide by their policies, find some Zen :) (zen.spamhaus.org) grkni...@mx1 ~ $ host 127.7.69.94.zen.spamhaus.org 127.7.69.94.zen.spamhaus.org has address 127.0.0.10
Re: how to protect against directory attack?
motty.cruz a écrit : Hello all, What is the best way to protect against directory attack? [snip] how about: don't care? # postlog.pl Recipient unknown..: 58.35 % ... it's been so since a long time and the world didn't collapse here.
RE: how to protect against directory attack?
Thanks for your response, I was hysterical I thought there was something wrong with my configuration. I been getting lots of bounced emails and believed it was related to directory attack. Thanks, -motty -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of mouss Sent: Monday, June 21, 2010 3:02 PM To: postfix-users@postfix.org Subject: Re: how to protect against directory attack? motty.cruz a écrit : Hello all, What is the best way to protect against directory attack? [snip] how about: don't care? # postlog.pl Recipient unknown..: 58.35 % ... it's been so since a long time and the world didn't collapse here.