Re: New mail blocks result of Ralsky's latest attacks?

[Suresh Ramasubramanian <suresh () outblaze com>]

Bob German writes on 10/10/2003 8:29 PM:

> A colleague informed me this morning that Alan Ralsky is doing 
> widespread bruteforce attacks on SMTP AUTH, and they are succeeding, 
> mainly because it's quick, painless (for him), and servers and IDS 
> signatures don't generally offer protection against them.
>  
> Could this be why everyone's locking up their mail servers all of a sudden?
>  
> Does anyone know of a way to stop them?

Set up header checks in sendmail / postfix to block all mail with 
Received: headers showing Ralsky IPs.  PCRE header checks in postfix 
would be like -

/^Received:.*(\[|\(|\s)211\.158\.[3456789]\d\.\d/  REJECT Ralsky from
cqnet.com.cn. See: 
http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.[89]\.\d/          REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.1[01]\.\d/         REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.1[345]\d\.\d/      REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)219\.153\.1[45]\d\.\d/      REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.10\.57\.\d/            REJECT Ralsky from
cncgroup-hl. See: 
http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669

        srs (yes, this is a rather expensive set of checks)

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations