Bugtraq mailing list archives
Re: SMTP server account probing
From: dsf () comp uark edu (Scott Fendley)
Date: Tue, 9 Mar 1999 16:16:13 -0600
Couldn't you just compile sendmail with tcp_wrapper support, and have a script parsing your logs so that if someone manages to get n # of pokes at your system then their Ip address and/or DNS server will be placed in the hosts.deny. Then as an admin you remove those that need to be removed after the problem user has been properly slapped or you could possibly run an automatic removal of k # of hours (or days). I think some of our good programmers out there could easily write up something thtat will help prevent these users from even getting to sendmail and causing it to fork or anything. Anything I am missing here? Scott On Tue, 9 Mar 1999 Valdis.Kletnieks () VT EDU wrote:
On Tue, 09 Mar 1999 09:36:04 PST, you said:Perhaps someone with better sendmail experience could come up with an idea to automatically disconnect connections that are issuing more than 25 VRFY statements at a time?Wrong solution. They'll just reconnect and try another 25. All you've bought then is an extra fork() of the sendmail daemon every 25 pokes. Remember, these people don't give a s**t if they waste your resources... Maybe what's needed is a new ioctl on a socket, so you can do this: if (vrfy_cnt > 25) { ioctl(net_socket,SO_NOSENDFIN); clkose(net_socket); } so you can free up the socket at YOUR end, and intentionally fail to send the FIN packet, so the OTHER end gets to wait for a timeout. Yes, yes, yes, I *KNOW* it's Evil and Against The RFCs. But it's tempting. ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Current thread:
- SMTP server account probing Brett Glass (Mar 08)
- Re: SMTP server account probing Frank Miller (Mar 09)
- Re: SMTP server account probing John E. Martin (Mar 09)
- Re: SMTP server account probing Brett Glass (Mar 09)
- Re: SMTP server account probing Nick Andrew (Mar 09)
- Re: SMTP server account probing Brian Behlendorf (Mar 09)
- Re: SMTP server account probing Valdis.Kletnieks () VT EDU (Mar 09)
- Re: SMTP server account probing Scott Fendley (Mar 09)
- Re: SMTP server account probing Alexander Bochmann (Mar 10)
- Re: SMTP server account probing Alan Cox (Mar 09)
- Re: SMTP server account probing Brett Glass (Mar 09)
- Re: SMTP server account probing Ryan Permeh (Mar 09)
- Re: SMTP server account probing Keith Woodworth (Mar 09)
- Linux Blind TCP Spoofing Security Research Labs (Mar 09)
- Re: Linux Blind TCP Spoofing John D. Hardin (Mar 09)
- Winfreeze.c for Solaris ... Max Schubert (Mar 09)
- Re: SMTP server account probing GvS (Mar 09)
- Re: SMTP server account probing David Gale (Mar 09)
- Re: SMTP server account probing James Lick (Mar 09)