Strategies For Detecting / Responding to Dictionary Attacks

Hello,
I have been researching methods for deailing with dictionary attacks
using sendmail. In January, we picked up a client w/ a three letter domain
name that happens to be a huge target for these types of attacks. We run a
three node sendmail cluster and each of the boxes is being hit w/ 2-3 failed
attacks / second.

Dec 11 04:02:16 node3 sendmail[29488]: jBB92Aq6029488: <joeyj@xxxxxxx>...
Mailbox 'joeyj' does not exist.
Dec 11 04:02:17 node3 sendmail[29774]: jBB92BRI029774: <cope@xxxxxxx>...
Mailbox 'cope' does not exist.
Dec 11 04:02:17 node3 sendmail[29915]: jBB92CAg029915: <coopert@xxxxxxx>...
Mailbox 'coopert' does not exist.
Dec 11 04:02:17 node3 sendmail[26189]: jBB90W0P026189: rjake@xxxxxxxxxx
Mailbox 'rjake' does not exist.

We have implemented a variety of methods to deal with this;

1. Upgraded to Sendmail 8.13.1 w/ all the trimmings enabled:

FEATURE(`greet_pause', `5000')dnl`
FEATURE(`ratecontrol', `nodelay',`terminate')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`60')dnl
FEATURE(`ratecontrol', ,`terminate')dnl
define(`confCONNECTION_RATE_THROTTLE', `10')dnl
FEATURE(`conncontrol', `nodelay',`terminate')dnl
define(`confMAX_RCPTS_PER_MESSAGE', `20')dnl
define(`confBAD_RCPT_THROTTLE',`2')dnl

2. Installed milter-ahead
3. Installed several RBLS

The BAD_RCTP_THROTTLE has been helpful to limiting the attacks to one lookup
/ second, but we are looking for a way to detect and automatically respond
to these attacks. Our current methodology is to analyze the last 10,000
lines of the mail-log every 30 minutes using the following logic, given the
following log entries:

Dec 11 12:36:08 node1 sendmail[20980]: jBBHZivx020980: <pepsiman@xxxxxxx>...
Mailbox 'pepsiman' does not exist.
Dec 11 12:36:09 node1 sendmail[20980]: jBBHZivx020980: <perc@xxxxxxx>...
Mailbox 'perc' does not exist.
Dec 11 12:36:09 node1 sendmail[20980]: jBBHZivx020980:
chello080109102100.12.15.vie.surfer.at [80.109.102.100]: Possible SMTP RCPT
flood, throttling.
Dec 11 12:36:10 node1 sendmail[20980]: jBBHZivx020980: <peresila@xxxxxxx>...
Mailbox 'peresila' does not exist.
Dec 11 12:36:12 node1 sendmail[20980]: jBBHZivx020980: <perf@xxxxxxx>...
Mailbox 'perf' does not exist.
Dec 11 12:36:13 node1 sendmail[20980]: jBBHZivx020980: <perfecto@xxxxxxx>...
Mailbox 'perfecto' does not exist.
Dec 11 12:36:14 node1 sendmail[20980]: jBBHZivx020980: <pericles@xxxxxxx>...
Mailbox 'pericles' does not exist.
Dec 11 12:36:16 node1 sendmail[20980]: jBBHZivx020980: <perini@xxxxxxx>...
Mailbox 'perini' does not exist.
Dec 11 12:36:17 node1 sendmail[20980]: jBBHZivx020980: <perki@xxxxxxx>...
Mailbox 'perki' does not exist.

a. Create a list of all message-ids received by our server destined for the
target domain
b. Extract a list of all log-entries related to those message ids
c. Extract a list of all IP addresses that contain the word "throttling" and
count the number of times the particular host has been throttled
d. Add an iptables rule to drop inbound SMTP connections from that host

There has to be a better way... I must be missing it.. I'm not a code
hacker, but it seems logical that sendmail could easily track the number of
bad mailbox requests by host, and implement some logic to stop accepting
connections from that host for a period of time. Optimally, what I would
like to see is some method that would allow me to tune the behavior of the
RCPT throttling and implement automatic black-listing of offending hosts for
a configurable period of time. Something along the lines of "if host a trips
rcpt throttling, increment throttle counter. If throttle counter > 5,
blacklist for 30 minutes".

There is some mention of "exponential backoff" in srvrsmtp.c, but it carries
the following warning:

/*
** Don't use exponential backoff for now.
** Some servers will open more connections
** and actually overload the receiver even
** more.
*/

Any comments on this?


.

Relevant Pages

  • Re: An argument AGAINST hosting your own email domain.
    ... I run an industrial-strength mail server with ... >to 'auth attacks', NDR attacks, attacks which have yet to be invented, or ... >In the past we didn't like the 'POP Connector', there was a problem where it ... >from an individual mailbox and assign it to an Exchange mailbox works, ...
    (microsoft.public.windows.server.sbs)
  • Re: An argument AGAINST hosting your own email domain.
    ... POP mailbox doesn't really matter anyway if you were downloading it into ... > system to 'auth attacks', NDR attacks, attacks which have yet to be ... Because you have a mail server, you don't need anyone else's mail server. ... POP connectors are a kluge, ...
    (microsoft.public.windows.server.sbs)
  • Re: Can Local Delivery Be Made To Obey access.db?
    ... mail to a particular user whose mailbox is too large. ... account - the mail is delivered locally and appears to bypass sendmail ... Is there a way to force the locally initiated mail to ... rejected by an access database rule getting left in the inbound queue. ...
    (comp.mail.sendmail)
  • Re: need help about sendmail
    ... For sending mail one can user Sendmail Milters. ... be save in a certain mailbox. ... > Do You Yahoo!? ... Mail has the best spam protection around ...
    (RedHat)
  • Re: Virtual domains - local-host-names versus virtusertable
    ... POP/IMAP server that avoid need to create per mailbox OS accounts. ... instruction how to set up virtual mailboxes (with sendmail). ... i believe sendmail needs sasl support and maybe ssl lib support ...
    (comp.mail.sendmail)
Loading