OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Need help dealing with distributed dictionary attack.

From: Jefferson Cowart (jeffcowart.net)
Date: Mon Aug 02 2004 - 20:43:53 CDT

I'm pretty sure this is not back scatter based on the e-mail addresses that
it is trying to send to. Each message is trying to go to multiple recipients
that have never existed in my domain. Additionally they seem to be in
alphabetical order. For instance:

 Out: 220 P133.internal.westcott-lahar.net ESMTP mail.westcott-lahar.net
 In: HELO cowart.net
 Out: 250 P133.internal.westcott-lahar.net
 In: MAIL FROM:<luiz.figueiraspbol.com.br>
 Out: 250 Ok
 In: RCPT TO:<dlittlecowart.net>
 Out: 554 <cowart.net>: Helo command rejected: Access denied
 In: RCPT TO:<dlkcowart.net>
 Out: 554 <cowart.net>: Helo command rejected: Access denied
 In: RCPT TO:<dlkellycowart.net>
 Out: 554 <cowart.net>: Helo command rejected: Access denied
 In: RCPT TO:<dlmeyercowart.net>
 Out: 554 <cowart.net>: Helo command rejected: Access denied
 In: RCPT TO:<dlmurraycowart.net>
 Out: 554 <cowart.net>: Helo command rejected: Access denied
 In: RCPT TO:<dlmyerscowart.net>
 Out: 554 <cowart.net>: Helo command rejected: Access denied
 In: RCPT TO:<dlnealcowart.net>
 Out: 554 <cowart.net>: Helo command rejected: Access denied
 In: RCPT TO:<dlocowart.net>
 Out: 554 <cowart.net>: Helo command rejected: Access denied
 In: RCPT TO:<dlockecowart.net>
 Out: 554 <cowart.net>: Helo command rejected: Access denied
 In: DATA
 Out: 554 Error: no valid recipients
 In: QUIT
 Out: 221 Bye

I'll take a look at that other setting. Thanks.

----------------
Thanks
Jefferson Cowart
Jeffcowart.net
-----Original Message-----
From: Wietse Venema [mailto:wietseporcupine.org]
Sent: Monday, August 02, 2004 18:29
To: Jefferson Cowart
Cc: postfix-userspostfix.org
Subject: Re: Need help dealing with distributed dictionary attack.

Jefferson Cowart:
> I'm running a postfix mail server on debian stable (postfix version 1.1.11
-
> some security backports). I have had someone that based on initial IP
> addresses seems to be from brazil that has been running a dictionary
account
> against my server for about a year and a half now. Each time that I block
> his IP addresses he ends up just moving to a different address and
> continuing the attack. At this point it appears that he is using a largish
> (50-100 at the moment) network of computers (probably zombied windows
> machines) to launch this dictionary attack against me. While the
dictionary
> attack is not in and of itself a major problem, it is causing major load
> problems on my server. I have had multiple times where he has been sending
> enough traffic down the line to cause legitimate connections to be slow or
> non functional. Additional he has multiple times caused my servers enough
> load that they were unable to process legitimate requests. Does anyone
have
> any suggestions about how to handle this problem.

/etc/postfix/main.cf:
    smtpd_error_sleep_time = 0

Are you sure this not backscatter?
http://www.postfix.org/BACKSCATTER_README.html

        Wietse