Results 1 to 4 of 4

Thread: Assistance with Dictionary attack

  1. #1
    dwill's Avatar
    dwill is offline Special Member
    Join Date
    Aug 2006
    Posts
    122
    Rep Power
    9

    Default Assistance with Dictionary attack

    For several months now my logs are showing an attempt to send mail to a non existent account. There are variations to the account name, but always the same 'root' name:
    As an example:
    davidabc@mydomain.com
    davidbbg@mydomain.com
    davidtheman@mydomain.com

    There are literally thousands of these in a 24 hour period, and they seem to stay 1 step ahead of the RBL's.
    The IP address and 'from' address which the messages report to be sent from are not fixed and I rarely see more than 2-3 delivery attempts in a row using the same IP or from address. I'm sure this is a scripted 'abuse' as the logs show from 100 to 200 attempts within a 30 second window to this root name and the IP and from address change every 2nd to 3rd delivery attempt. unfortunately, we do a significant amount of INT'L business and I can't block CHINA and RUSSIA

    It appears to be either a dictionary attack or we are the backscatter victim for this campaign.

    Although they are not getting delivered and we just drop it, I'm curious as to how others may have implemented a remedy to this. Any advice appreciated.
    Work
    8.0.3 UBUNTU10_04 UBUNTU10_04 NETWORK

    Home
    8.0.3 UBUNTU10_04 UBUNTU10_04 FOSS

  2. #2
    raj's Avatar
    raj
    raj is offline Moderator
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    well you cannot stop them from doing dictonery attack
    you can do some measures to they use less resources

    Greylisting is one way to reduce cpu for dictonery attack.
    if you keep your greylisting triplet clean every few days you will see its very effective

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  3. #3
    dwill's Avatar
    dwill is offline Special Member
    Join Date
    Aug 2006
    Posts
    122
    Rep Power
    9

    Default

    Thanks Raj, I'll read up a bit on the greylisting options. I am hoping for a REGEX or similar option such as david*@mydomain.com since the actual problematic address is unique and will have no effect on other users.
    Work
    8.0.3 UBUNTU10_04 UBUNTU10_04 NETWORK

    Home
    8.0.3 UBUNTU10_04 UBUNTU10_04 FOSS

  4. #4
    dwill's Avatar
    dwill is offline Special Member
    Join Date
    Aug 2006
    Posts
    122
    Rep Power
    9

    Default

    Just a follow up - We are now greylisting and it is catching a few spammers, but I still get tons of dictionary attempts.

    Who's up for a "Distributed Black Eye" attack, where we choose team members for each geographical area to personally distribute said black eyes to the offenders?
    Work
    8.0.3 UBUNTU10_04 UBUNTU10_04 NETWORK

    Home
    8.0.3 UBUNTU10_04 UBUNTU10_04 FOSS

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. ZD User dictionary?
    By rickvv in forum General Questions
    Replies: 11
    Last Post: 01-14-2010, 06:58 PM
  2. Install french dictionary failed
    By Samp in forum Installation
    Replies: 2
    Last Post: 09-01-2009, 05:03 AM
  3. Dictionary Scans And Smtp Timeouts
    By ladylinux in forum Administrators
    Replies: 3
    Last Post: 09-02-2007, 07:26 PM
  4. Requesting Assistance - CentOS4.4 and Ubuntu Install
    By AlexanderH in forum Installation
    Replies: 9
    Last Post: 05-10-2007, 06:38 PM
  5. For further assistance, please send mail to <postmaster>
    By scottnelson in forum Administrators
    Replies: 0
    Last Post: 10-24-2006, 05:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •