Mailing List Archive

At 14:48 +1200 8/7/02, Juha Saarinen wrote:

>Some happy chappie decided to run a dictionary attack against my Exim 4.04
>installation earlier:

I get these continuously for one of my domains, but weirdly not in
any order, and not from the same host. For example:

2002-07-08 10:11:48 H=(mail.accucon.com) [194.198.208.46]
F=<john@accucon.com> rejected RCPT <mstuder@stairways.com.au>:
unknown user
2002-07-08 10:11:48 H=(mail.accucon.com) [194.198.208.46]
F=<john@accucon.com> rejected RCPT <brandonh@stairways.com.au>:
unknown user
2002-07-08 10:11:48 H=(mail.accucon.com) [194.198.208.46]
F=<john@accucon.com> rejected RCPT <mount@stairways.com.au>: unknown
user
2002-07-08 10:11:48 H=(mail.accucon.com) [194.198.208.46]
F=<john@accucon.com> rejected RCPT <yoneyama@stairways.com.au>:
unknown user
...
2002-07-08 09:00:01 H=(mta.epix.net) [194.198.208.46]
F=<john@epix.net> rejected RCPT <rclegg@stairways.com.au>: unknown
user
2002-07-08 09:00:01 H=(mta.epix.net) [194.198.208.46]
F=<john@epix.net> rejected RCPT <qm@stairways.com.au>: unknown user
2002-07-08 09:00:01 H=(mta.epix.net) [194.198.208.46]
F=<john@epix.net> rejected RCPT <bathory@stairways.com.au>: unknown
user
2002-07-08 09:00:01 H=(mta.epix.net) [194.198.208.46]
F=<john@epix.net> rejected RCPT <aissa@stairways.com.au>: unknown user
2002-07-08 09:00:01 H=(mta.epix.net) [194.198.208.46]
F=<john@epix.net> rejected RCPT <murfoid@stairways.com.au>: unknown
user
...
etc.

Basically, batches of 29 from john@<somewhere> (and other cases, but
this is common).

Shrug. I don't know why or how to stop them.

From a single host, you can blacklist the host with:

host_reject_connection = /Users/exim/exim/blacklist-hosts

and then in the file list (one per line) the IP address for each host
you dont want connections from (or domain names, but list them after
all IPs).

>I've searched Google, and the mailing list archives, but drawn a blank on
>finding anything that might be useful to combat dictionary attacks.
>
>Is there a way to e.g. teergrube idiots who bombard your server with lots
>of connections? Max_connections_per_host or something?

Since mine come in batches from different servers, I don't think
anything will work. I guess if I could set up Exim to reject
connections for the next 24 hours from any host that sent two "user
unknown" rcpts in a connection (I run a private site so user unknown
should be unusual), then I could try that. Shrug, mostly I guess I
can just ignore it, the only problem is if they are using this
technique to gather email addresses into spam lists, in which case
the user unknown is actually helping them, but I don't see what can
be done of that either.

Any ideas?
Peter.
--
<http://www.interarchy.com/> <http://download.interarchy.com/>

--
On Mon, Jul 08, 2002 at 02:48:20PM +1200, Juha Saarinen wrote:
| Some happy chappie decided to run a dictionary attack against my Exim 4.04
| installation earlier:
|
| 2002-07-08 00:57:35 H=pcp01631504pcs.tybout01.de.comcast.net
| (mx.spamcop.net) [68.82.4.229] F=<webmaster@spamcop.net> rejected RCPT
| <amber@SAARINEN.ORG>: Unrouteable address
[...]
| ... etc, ad nauseam.
|
| I've searched Google, and the mailing list archives, but drawn a blank on
| finding anything that might be useful to combat dictionary attacks.
|
| Is there a way to e.g. teergrube idiots who bombard your server with lots
| of connections? Max_connections_per_host or something?

That was more than likely a single connection. There is a max rcpts
option, but I think it only applies to successful recipients.

You could accept all rcpts at RCPT time and reject/bounce the message
later. If the attacker is merely trying to build a spam list and
quits before DATA, then you've just given a whole list of "verified"
but bogus addresses to them. If you get some spam with a bogus return
address you're stuck unless you do the rejection after DATA.

Hmm, with a host like that they may be in the DUL. If you want you
can reject mail from DUL-listed hosts and tell them to use their ISP's
smarthost instead.

I keep getting hit from a DSL-connected spammer in spain, and in
addition to my address they also try "ga16040" and
"ga11581@dman.ddts.net". Repeatedly. No amount of rejection makes
them go away. Since their spam got through SA, I added their host to
a reject list. (If you want it : 217.127.31.182 , 217.125.79.217)
They still won't go away. At least I'm not crunched for that
bandwidth =p. (If I was I'd add them to my nimbda-based IP-level
blocking.)

-D

--

If we claim to be without sin, we deceive ourselves and the truth is not
in us.
I John 1:8

http://dman.ddts.net/~dman/

--
[ Content of type application/pgp-signature deleted ]
--

On Sun, 7 Jul 2002, Derrick 'dman' Hudson wrote:

> That was more than likely a single connection. There is a max rcpts
> option, but I think it only applies to successful recipients.
>
> You could accept all rcpts at RCPT time and reject/bounce the message
> later. If the attacker is merely trying to build a spam list and
> quits before DATA, then you've just given a whole list of "verified"
> but bogus addresses to them.

Bummer. That's annoying.

> Hmm, with a host like that they may be in the DUL. If you want you
> can reject mail from DUL-listed hosts and tell them to use their ISP's
> smarthost instead.

Hmmm... might be worth the trouble to fill out the MAPS form for
individual sites then.

> I keep getting hit from a DSL-connected spammer in spain, and in
> addition to my address they also try "ga16040" and
> "ga11581@dman.ddts.net". Repeatedly. No amount of rejection makes
> them go away. Since their spam got through SA, I added their host to
> a reject list. (If you want it : 217.127.31.182 , 217.125.79.217)
> They still won't go away. At least I'm not crunched for that
> bandwidth =p. (If I was I'd add them to my nimbda-based IP-level
> blocking.)

Too bad. The Spanish (almost wrote "Spammish") ISP won't take action
against their customer?

Anyway, need to think about this one.

--
Juha Saarinen

On Mon, 8 Jul 2002, Juha Saarinen wrote:

> Is there a way to e.g. teergrube idiots who bombard your server with lots
> of connections? Max_connections_per_host or something?

smtp_accept_max_per_host

See also smtp_ratelimit_xxx for slowing down multiple commands on a
single connection.

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

On Sun, 7 Jul 2002, Derrick 'dman' Hudson wrote:

> That was more than likely a single connection. There is a max rcpts
> option, but I think it only applies to successful recipients.

In the next release you will be able to access the number of RCPTs
separately from the number of accepted RCPTs, in the ACL.

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

On Mon, Jul 08, 2002 at 09:40:20AM +0100, Philip Hazel wrote:
> On Mon, 8 Jul 2002, Juha Saarinen wrote:
> > Is there a way to e.g. teergrube idiots who bombard your server with lots
> > of connections? Max_connections_per_host or something?
> smtp_accept_max_per_host
> See also smtp_ratelimit_xxx for slowing down multiple commands on a
> single connection.

I'm thinking of patching the ACLs to include a "delay" modifier which
will always be true, but delay the answer of the running ACL. I need
to have a proper look at the code but this didn't look like a hugely
difficult thing to do.

Combined with the perl directives, I think this could allow me to
ditch SAUCE altogether. ;-)

MBM

--
Matthew Byng-Maddick <mbm@colondot.net> http://colondot.net/

On Mon, 8 Jul 2002, Philip Hazel wrote:

> smtp_accept_max_per_host
>
> See also smtp_ratelimit_xxx for slowing down multiple commands on a
> single connection.

Thanks, Philip. Didn't look hard enough, as usual.

Looking at the reject log, I count 31 different addressees, and as the
entries have the same time stamp, I assume it's a single connection as
"dman" mentioned.

Hmmm.... reading the spec, it seems that for cases like the above,
smtp_rate_limit_hosts combined with smtp_ratelimit_rcpt and
smtp_ratelimit_mail would take care of the issue.


--
Juha Saarinen

Is this only an exim4 thing or will it work on exim 3 ?

I have have people mailing through our outbound servers allowed due to dial
up ips allowed to relay, but when they decide to spam or send to loads of
different recipients, its harder to find now as they keep changing their
from address and sending small numbers at a time of say 50-60.

They must be coming from the same host though, so will
smtp_accept_max_per_host or smtp_ratelimit_xxx help?

cheers

-----Original Message-----
From: exim-users-admin@exim.org [mailto:exim-users-admin@exim.org]On
Behalf Of Philip Hazel
Sent: 08 July 2002 09:40
To: Juha Saarinen
Cc: exim-users@exim.org
Subject: Re: [Exim] Dictionary attack defence ideas?


On Mon, 8 Jul 2002, Juha Saarinen wrote:

> Is there a way to e.g. teergrube idiots who bombard your server with lots
> of connections? Max_connections_per_host or something?

smtp_accept_max_per_host

See also smtp_ratelimit_xxx for slowing down multiple commands on a
single connection.

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at http://www.exim.org/ ##

On Mon, 8 Jul 2002, David Markham wrote:

> Is this only an exim4 thing or will it work on exim 3 ?

smtp_accept_max_per_host has been in Exim 3 for a long time.

The ratelimiting stuff is Exim 4.

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

On Mon, 8 Jul 2002, David Markham wrote:

> Thanks so would the smtp_Accept_max_per_host stop the amount of mails that
> the user is sending if more than what the limit is set to?

spec.txt is your friend.


smtp_accept_max_per_host Type: integer Default: 0

This option restricts the number of simultaneous IP connections from a
single host (strictly, from a single IP address) to the Exim daemon. Once
the limit is reached, additional connection attempts are rejected with
error code 421. The default value of zero imposes no limit. If this option
is not zero, it is required that "smtp_accept_max" also be non-zero.



--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

Thanks so would the smtp_Accept_max_per_host stop the amount of mails that
the user is sending if more than what the limit is set to?

D

-----Original Message-----
From: Philip Hazel [mailto:ph10@cus.cam.ac.uk]
Sent: 08 July 2002 16:21
To: David Markham
Cc: exim-users@exim.org; 'Juha Saarinen'
Subject: RE: [Exim] Dictionary attack defence ideas?


On Mon, 8 Jul 2002, David Markham wrote:

> Is this only an exim4 thing or will it work on exim 3 ?

smtp_accept_max_per_host has been in Exim 3 for a long time.

The ratelimiting stuff is Exim 4.

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

--
On Mon, Jul 08, 2002 at 05:28:19PM +0100, David Markham wrote:
| Thanks so would the smtp_Accept_max_per_host stop the amount of mails that
| the user is sending if more than what the limit is set to?

As the Philip and the spec says, only if they use multiple
simultaneous IP-level connections. If they feed multiple RCPTs on the
same MAIL FROM:, that won't have any effect. If they feed multiple
messages, in serial, down the same connection it won't have any
efffect. If they repeatedly close the connection and open a new one,
that won't have any effect.

Each of these scenarios presents a single simultaneous connection from
the host.

(well, it will if you set the max to 0, but in that case why run exim? :-))

-D

--

The crucible for silver and the furnace for gold,
but the Lord tests the heart.
Proverbs 17:3

http://dman.ddts.net/~dman/

--
[ Content of type application/pgp-signature deleted ]
--

On Mon, 8 Jul 2002, David Markham wrote:

> Is this only an exim4 thing or will it work on exim 3 ?

Looks like the same options are in 3.3x as well:

http://www.exim.org/exim-html-3.30/doc/html/spec_toc.html#TOC363

> I have have people mailing through our outbound servers allowed due to dial
> up ips allowed to relay, but when they decide to spam or send to loads of
> different recipients, its harder to find now as they keep changing their
> from address and sending small numbers at a time of say 50-60.
>
> They must be coming from the same host though, so will
> smtp_accept_max_per_host or smtp_ratelimit_xxx help?

I don't know how it would work with relaying.

Wouldn't a harshly enforced ToC for the spamming users be a good idea?

--
Juha Saarinen