[Mimedefang] dictionary attacks looking for a valid user

Mack roaringpenguin.com at bass-speaker.com
Thu Dec 15 17:04:36 EST 2005


without giving too much away about how i've implemented this.....

Basically -- Greylisting (triplet based)
Throttleing -- User Based agaist triplet scoring
Remote IP --Against tries/retries

Eg the last virus to do the rounds, that .Y or .Z depending on your AV,
basically tried to send x million virus to said addressess..

Spool em if over X and worry about em seperate (if doing user based
scanning!!!)

else set a throttle for domain based only allowing maybe 25 users trys

soon as u get a fail - grey list and out she goes (not an MD feature)

run sender verify & helo arg checks against sending host (as well as RBL
etc) (add to spam score accordingly)

Run Ldap against your recip server (you do run MD as a gateway not a
terminating MTA??)

Remember all valid mail servers will resend the mail within a reasonable
time period....
spammers won't

You can reduce your recieved spam by about 60ish% using this (since you
never receive it)

the rest is caught by spam assasin





-----Original Message-----
From: mimedefang-bounces at lists.roaringpenguin.com
[mailto:mimedefang-bounces at lists.roaringpenguin.com]On Behalf Of Alex
Moore
Sent: 15 December 2005 21:06
To: mimedefang at lists.roaringpenguin.com
Subject: [Mimedefang] dictionary attacks looking for a valid user


I have not seen this topic discussed.  BTW, I appreciate the recent
thread on greylisting.

Spammer scenario:
A spammer tries many times to find a user with something like a
dictionary attack or a list of commonly used user names.

How can I setup a rule in MIMEDefang to define those transactions?  Say
when a smtp server tries 10 times within a short time period and is sent
a 550 code each time. I think that it would appropriate to have MD just
blacklist that address. Is that possible?  I want to ignore them
completely after this event has occurred.

Ideas?

Thanks, Alex

--
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

This Email Has Been Anti-Virus Scanned



More information about the MIMEDefang mailing list