Re: Discovering users by RCPT TO

[Faisal Khan <faisal () netxs com pk>]

Turning on Reverse DNS and Tarpitting helps for Dictionary Attacks.



At 09:57 PM 1/14/2005, you wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I see spammers hitting my MTA daily with dictionary RCTP TO queries
> and there isn't much you can really do against it; however I have been
> thinking about a solution using real time blockers.
>
> The idea is to monitor the logfile of the MTA, looking for a host
> getting more than "X" failed destination addresses (I think 2 or 3 is
> a nice entry threshold). Then when they reach the threshold their IP
> gets put into a local DNS server that is used by the MTA to as a real
> time blocker.
>
> This wouldn't' require more than another RBL addition to the MTA and
> then an external script tied to either bind or djbdns.
>
> thoughts?
> dmz
>
> Vince Hoang wrote:
>
> |On Thu, Jan 13, 2005 at 02:20:12PM -0500, Chris Buechler wrote:
> |
> |>I'd recommend disabling it unless you get flooded by such spam
> |>attacks. I would probably consider it unnecessary information
> |>disclosure, depending on the environment and reason (if any)
> |>for doing it that way.
> |
> |
> |Some MTAs allow permit you to drop the session after a certain
> |number of failures, but that only slows down the dictionary
> |attacks.
> |
> |You cannot disable RCPT TO because that is how the SMTP protocol
> |designates the recipients.
> |
> |-Vince
> |
> |
> |
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFB5/nolzAVE2tZub0RAm42AJ99EswcipKsDd3mn9fGo6623n9+HwCgv58+
> XznoJeXySxmgJFxFmy9cBgg=
> =/Zsq
> -----END PGP SIGNATURE-----



Faisal Khan,  CEO
Net Access Communication
Systems (Private) Limited
________________________________

Network Security - Secure Web Hosting
Managed Internet Services - Secure Email
Dedicated Servers - Reseller Hosting

Visit www.netxs.com.pk for more information.