[WBEL-users] Ever hear of this type of setup/config?
Rafael Baquero S.
rbaqueros@yahoo.com.mx
Mon, 9 Aug 2004 13:59:06 -0500
Hi.
If I understand correctly the setup you are proposing, it might create some
problems to valid e-mail users. For instance, user1@origindomain.com is
trying to send a message to bob@domain.com and by mistake types e-mail
address bobb@domain.com, then if the mail servers simply dump the message
user1@origindomain.com will not receive any error message indicating the type
of problem. The correct response for this type of error is a message from the
destination server indicating that bobb@domain.com is not a valid user.
The second problem using the setup you describe is that it will not prevent
the attacker from obtaining valid e-mail addresses from your server which the
purpose of the attack.
A better strategy would probably be to develop a few simple (or maybe not so
simple) programs or scripts that detect the patterns of attacks you have seen
so far and which would block via iptables the IP address from which the
attacks are originating, either on a permament basis or for a few hours.
These same scripts/programs could also notify of the attack so that you can
complain to the attacker's ISP. Or they could inform you about the attackers
IP so that you can throw any available cracker tools and maybe even your
dirty laundry at them and hopefully wipe them of the internet for good :)
I am not sure about the difficulty of implementing this with sendmail/postfix,
I am a qmail user myself.
Hope this helps.
Rafael.
On Friday 06 August 2004 12:46, Jeff Maze wrote:
> Hello,
> I don't remember if it was on this list, but I remember reading
> somewhere that someone setup a sendmail/postfix server running as a
> secondary mail server and to help curb the amount of dictionary attack
> e-mails (TO: bob1@domain.com, bob2@domain.com, ... bob57@domain.com, etc.),
> they had the sec server look up valid e-mail address in a database (I
> believe via MySQL). If it was valid, then it forwarded it onto the primary
> server; if not, it dumped it.
> We're getting a lot of dictionary attack e-mails through our sec
> server (running WBEL) and would like to implement something like this (if
> possible). Thank you for your time and attention.. -Jeff
>
>
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users