Results 1 to 4 of 4
  1. #1
    Join Date
    Mar 2004

    Problematic Dictionary email attack...

    Today one of my customer's domains has been getting clobbered by a pretty good sized distributed dictionary email barrage. I've got the Dictionary Attack ACL for Exim installed, but it doesn't seem to be catching this one. Here's some interesting facts about this:

    The emails are coming in at a max rate of 1-3 per second from a huge variety of hosts spread across the net, so likely these are zombies using whichever mail server they have set up for their default. They have slowed a bit lately though, so I think the attack is winding down.

    The names to which emails are trying to be sent aren't really dictionary words, but instead random gibberish. Here's a sample of the last few seconds:
    <[email protected]>
    <[email protected]>
    <[email protected]>

    The remote servers seem to be attempting a single email address per connection, so the $rcpt_fail_count doesn't seem to be increasing. Thus, the never gets called to add the offending IP to the deny file.

    This isn't terribly urgent, since the account is set to :fail: such messages, but at its peak it was causing a couple sporadic SMTP timeouts. Any ideas on how to block against something like this? Here's the pertanent section from my exim config:

      drop hosts = /etc/exim_deny
          !hosts = /etc/exim_deny_whitelist
          message = Connection denied after dictionary attack
          log_message = Connection denied from $sender_host_address after dictionary attack
      drop message = Appears to be a dictionary attack
          log_message = Dictionary attack (after $rcpt_fail_count failures)
          condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
          condition = ${run{/etc/ $sender_host_address }{yes}{no}}
          !verify = recipient

  2. #2
    Join Date
    Aug 2004
    Karachi, Pakistan
    Make use of RBLs....Turn on RDNS....Turn on Tarpitting.....Remove any catchall addresses in your domains and you should be alright.

    Read the tutorials, i know there was something there on dictionary attacks.
    "I drink too much. The last time I gave a urine sample it had an olive in it. ".
    Rodney Dangerfield (from "I Get No Respect!").

  3. #3
    Join Date
    Mar 2004
    Yeah, I'm looking into RBLs and so forth now. I'm not sure it will help with this particular event though, since the servers relaying the mail are largely valid non-sbl types.


  4. #4
    I have a very similar problem. The only difference is that it is happening to a domain I own. I only had a forward which I removed. I have an idea of letting one email pass to see what is advertised than point my MX record to his domain or to FBI. I donít find it to ethical and it is not a general solution. I have other domains for which I cannot do that so I am still looking for something serious. Maybe you can update this thread if you solve the problem.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts