[WBEL-users] Ever hear of this type of setup/config?

Rafael Baquero S. rbaqueros@yahoo.com.mx
Mon, 9 Aug 2004 13:59:06 -0500 

Hi.

If I understand correctly the setup you are proposing, it might create some 
problems to valid e-mail users. For instance, user1@origindomain.com is 
trying to send a message to bob@domain.com and by mistake types e-mail 
address bobb@domain.com, then if the mail servers simply dump the message 
user1@origindomain.com will not receive any error message indicating the type 
of problem. The correct response for this type of error is a message from the 
destination server indicating that bobb@domain.com is not a valid user.

The second problem using the setup you describe is that it will not prevent 
the attacker from obtaining valid e-mail addresses from your server which the 
purpose of the attack.

A better strategy would probably be to develop a few simple (or maybe not so 
simple) programs or scripts that detect the patterns of attacks you have seen 
so far and which would block via iptables the IP address from which the 
attacks are originating, either on a permament basis or for a few hours. 
These same scripts/programs could also notify of the attack so that you can 
complain to the attacker's ISP. Or they could inform you about the attackers 
IP so that you can throw any available cracker tools and maybe even your 
dirty laundry at them and hopefully wipe them of the internet for good :)

I am not sure about the difficulty of implementing this with sendmail/postfix, 
I am a qmail user myself.

Hope this helps.

Rafael.

On Friday 06 August 2004 12:46, Jeff Maze wrote:
> Hello,
> 	I don't remember if it was on this list, but I remember reading
> somewhere that someone setup a sendmail/postfix server running as a
> secondary mail server and to help curb the amount of dictionary attack
> e-mails (TO: bob1@domain.com, bob2@domain.com, ... bob57@domain.com, etc.),
> they had the sec server look up valid e-mail address in a database (I
> believe via MySQL).  If it was valid, then it forwarded it onto the primary
> server; if not, it dumped it.
> 	We're getting a lot of dictionary attack e-mails through our sec
> server (running WBEL) and would like to implement something like this (if
> possible).  Thank you for your time and attention.. -Jeff
>
>
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users