Jason Tower wrote:
lately my mail server (and several others that i administer) have been getting pummeled by dictionary attacks (trying to send mail to [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], and so on). naturally, the response to all of these is a "550 unknown user" but it still wastes bandwidth and fills up the logs and flat out pisses me off. these attacks all come from a single IP address (at least for some peroid of time, then they start up all over again from a different IP)If you're running Postfix, and like living on the bleeding edge, check out the anvil(8) server that's still in development. http://www.postfix.org/anvil.8.html It looks like it'll be a nice addition when it's stable, although at the moment the docs claim it's a bit rough around the edges (and not in the 2.1 stable release). I'm curious to know if anyone's tried it out yet. :)
i'm wondering if there's a relatively easy way to dynamically add an iptables rule that blocks port 25 (or better yet all traffic) from an IP address that generates X 550 errors in Y minutes. then, after Z minutes, the rule is removed. or is there a better way?
jason
In general, we see an awful lot of dictionary attacks here at Intrex, and it's not something we process the logs or firewall against to block. Be very careful with setting up automated systems that monkey with your firewall rules, it can have very unfortunate results if someone decides to exploit the way you have it setup, and even more likely, accidents and floods of mail to users who don't exist do happen naturally. Twould be bad to block yahoo or aol because some newbie on their service made a few typos or cut-n-pasted his mother's address wrong 50 times into his forwarding list (stranger things have happened).
Also, note that processing the logs during a dictionary attack can get very processor-intensive, especially if you're not careful in your regex writing (I didn't even look closely at Jon's example, this in no way should be interpreted as a reflection on his code). Just be careful that you're not doing more work in defense, than you're saving from the minimal overhead of "550 user not found in local recipients table". :)
Either way, I'm curious to hear how it turns out. :) Best of luck, Aaron S. Joyner -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
