nanog mailing list archives
Re: New mail blocks result of Ralsky's latest attacks?
From: Suresh Ramasubramanian <suresh () outblaze com>
Date: Fri, 10 Oct 2003 20:47:51 +0530
Bob German writes on 10/10/2003 8:29 PM:
A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them. Could this be why everyone's locking up their mail servers all of a sudden? Does anyone know of a way to stop them?
Set up header checks in sendmail / postfix to block all mail with Received: headers showing Ralsky IPs. PCRE header checks in postfix would be like -
/^Received:.*(\[|\(|\s)211\.158\.[3456789]\d\.\d/ REJECT Ralsky fromcqnet.com.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.[89]\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.70\.1[01]\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.70\.1[345]\d\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)219\.153\.1[45]\d\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.10\.57\.\d/ REJECT Ralsky fromcncgroup-hl. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
srs (yes, this is a rather expensive set of checks) -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Current thread:
- New mail blocks result of Ralsky's latest attacks? Bob German (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Brian Bruns (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Suresh Ramasubramanian (Oct 10)
- RE: New mail blocks result of Ralsky's latest attacks? Bob German (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Brian Bruns (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Suresh Ramasubramanian (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Andrew D Kirch (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Mike Tancsa (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Suresh Ramasubramanian (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Steven Champeon (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Steven M. Bellovin (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Suresh Ramasubramanian (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Fred Baker (Oct 11)
- <Possible follow-ups>
- Fw: New mail blocks result of Ralsky's latest attacks? Brian Bruns (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Brian Bruns (Oct 10)