Results 1 to 4 of 4

Thread: Dictionary Scans And Smtp Timeouts

  1. #1
    ladylinux is offline Junior Member
    Join Date
    Jun 2007
    Posts
    8
    Rep Power
    8

    Default Dictionary Scans And Smtp Timeouts

    Hi,

    I have a couple of customers who in the past had "Catchalls" enabled on a different system. Now since we moved these people the spammers are still hammering these accounts with massive dictionary attacks. This leads to smtp timeouts. Meaning all available connections get used up. (Catchalls are NOT being used now as they are evil things)

    What I know about these attacks.

    1. They send about 20 messages going up through the alphabet from a unique ip.

    2. It pauses and then about 5 seconds later another 20 come in from a different IP. (It picks up alphabetically from where it left off even)

    3. This goes on until about 100,000 or so messages are sent. Then it goes away for a while and then starts over again.

    I am seeing smtpd connections taking a while to release. This leads to timeouts and retries from external mail servers.

    I can't obviously block based on IP because it appears they have a unlimited amount of IP's to use.

    On other systems I employed tarpitting as so. After 8 consecutive connections per ip the subsequent connections are "slowed" down to 10 secs per connection. This seems to work real well.

    I don't really see anything out there for tarpitting with Postfix and greylisting is not a option.

    This is becoming more and more typical. This type of dictionary attack. So has anyone came across this and what did you do to mitigate it.

    EDIT:: I found this .. I am going to play with it

    Improving Anti-spam system - ZimbraWiki

    Thanks!!

    Francesca
    Last edited by ladylinux; 09-01-2007 at 11:54 AM.

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,568
    Rep Power
    57

    Default

    Why don't you try this first. In the file /opt/zimbra/conf/zmmta.cf look for this entry:
    Code:
    smtpd_reject_unlisted_recipient
    and change it's setting from 'no' to 'yes'. Save that file and restart postfix or zimbra and see if that helps. It will reject connections for an mail delivery to unlisted accounts. You will need to make that change every time you upgrade Zimbra as it doesn't persist.
    Last edited by phoenix; 09-02-2007 at 10:56 PM.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    ladylinux is offline Junior Member
    Join Date
    Jun 2007
    Posts
    8
    Rep Power
    8

    Default Thanks

    Hmmm,

    Thanks for that. I am surprised its not a default. I will try it and see. Also it should be "yes" not "res" right

    Thanks!!!

    Francesca
    Last edited by ladylinux; 09-02-2007 at 06:50 PM.

  4. #4
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •