[Mimedefang] Re: dictionary attacks looking for a valid user

Alan Lehman alehman at gbutler.com
Thu Dec 29 10:05:43 EST 2005


>How can I setup a rule in MIMEDefang to define those transactions?  Say
>when a smtp server tries 10 times within a short time period and is
sent
>a 550 code each time. I think that it would appropriate to have MD just
>blacklist that address. Is that possible?  I want to ignore them
>completely after this event has occurred.


I rarely see dictionary attacks from a single relay. Recently the
majority of such attacks on my systems seem to be of distributed origin
using random #/letter user names. They come in waves, sometimes a day or
two of several thousand per hour, from various random sources, then it
calms down for a while. I suspect some type of bot is at work.

Another one is repeated attempts with the same dictionary word from
distributed senders:

Dec 29 00:14:17 yyy sendmail[24179]: jBT6EHL2024179: from=<>, size=2387,
class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=ccemb.ccebos.org
[129.10.148.248]
Dec 29 00:14:17 yyy sendmail[24179]: jBT6EHL2024179: <gloat at zzz.com>...
User unknown
Dec 29 00:30:46 yyy sendmail[24837]: jBT6UjLL024837: from=<>, size=3517,
class=0, nrcpts=0, proto=ESMTP, daemon=MTA,
relay=relay02.mail-hub.dodo.com.au [202.136.32.45]
Dec 29 00:30:46 yyy sendmail[24837]: jBT6UjLL024837: <gloat at zzz.com>...
User unknown
Dec 29 01:06:01 yyy sendmail[25599]: jBT7618I025599: from=<>, size=2345,
class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=flpvm03.prodigy.net
[207.115.20.33]
Dec 29 01:06:01 yyy sendmail[25599]: jBT7618I025599: <gloat at zzz.com>...
User unknown
Dec 29 01:50:23 yyy sendmail[26650]: jBT7oMjr026650: from=<>, size=3173,
class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=mail02.cnemedia.com
[67.103.45.213]
Dec 29 01:50:23 yyy sendmail[26650]: jBT7oMjr026650: <gloat at zzz.com>...
User unknown

[Repeats several hundred times within a day or two. Sometimes multiple
ongoing attacks with different dictionary words.]


Another scenario which I don't understand is numerous attempts with the
same recipient in a short period of time:

Dec 26 03:49:11 yyy sendmail[30146]: jBQ9nBWF030146:
from=<devnull at mlkenterprises.com>, size=0, class=0, nrcpts=0,
proto=SMTP, daemon=MTA, relay=mail01k.rapidsite.net [131.103.218.196]
Dec 26 03:49:11 yyy sendmail[30146]: jBQ9nBWF030146: <tueugb at zzz.com>...
User unknown
Dec 26 03:49:11 yyy sendmail[30154]: jBQ9nBG6030154:
from=<devnull at mlkenterprises.com>, size=0, class=0, nrcpts=0,
proto=SMTP, daemon=MTA, relay=mail01k.rapidsite.net [131.103.218.196]
Dec 26 03:49:11 yyy sendmail[30154]: jBQ9nBG6030154: <tueugb at zzz.com>...
User unknown
Dec 26 03:49:11 yyy sendmail[30148]: jBQ9nAba030148:
from=<devnull at mlkenterprises.com>, size=0, class=0, nrcpts=0,
proto=SMTP, daemon=MTA, relay=mail01k.rapidsite.net [131.103.218.196]
Dec 26 03:49:11 yyy sendmail[30148]: jBQ9nAba030148: <tueugb at zzz.com>...
User unknown
Dec 26 03:49:11 yyy sendmail[30150]: jBQ9nAmi030150:
from=<devnull at mlkenterprises.com>, size=0, class=0, nrcpts=0,
proto=SMTP, daemon=MTA, relay=mail01k.rapidsite.net [131.103.218.196]
Dec 26 03:49:11 yyy sendmail[30150]: jBQ9nAmi030150: <tueugb at zzz.com>...
User unknown
Dec 26 03:49:11 yyy sendmail[30153]: jBQ9nBvs030153:
from=<devnull at mlkenterprises.com>, size=0, class=0, nrcpts=0,
proto=SMTP, daemon=MTA, relay=mail01k.rapidsite.net [131.103.218.196]

[repeats 10 or 15 more times within a minute or so]

Alan



More information about the MIMEDefang mailing list