Postfix preventing Directory Harvest Attacks
Scott Baker
directory harvest attacks against a Postfix server.
-----------------------------------
Scott Baker - Webster Internet
Network Engineer - RHCE
bak...@web-ster.com - 503.266.8253
Ralf Hildebrandt
> How does one go about preventing malicious spammers out there from
> doing directory harvest attacks against a Postfix server.
How do your directory harvest attacks look like?
--
Ralf Hildebrandt Ralf.Hil...@charite.de
my current spamtrap partmap...@charite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
I've seen things you people wouldn't believe. Attack ships on fire off
the shoulder of Orion. I watched C-beams glitter in the dark near the
Tannhauser gate. All those moments will be lost in time, like tears in
rain. Time to die. -- Roy Batty, Blade Runner
Scott Baker
spam filtering solution prevents. In the latest spam article:
http://slashdot.org/article.pl?sid=03/04/12/1442206&mode=thread&tid=111&tid=95
They talk about
a...@domain.com
a...@domain.com
a...@domain.com
etc... connections just attempted RCPT_TO headers.
I'd be more worried about a dictionary attack
t...@domain.com
di...@domain.com
ha...@domain.com
Is there a way to limit the number of connections a certain IP is allowed
in a 5 (10, 30, 60) minute period
At 05:40 PM 4/14/2003 +0200, you wrote:
> > How does one go about preventing malicious spammers out there from
> > doing directory harvest attacks against a Postfix server.
>
>How do your directory harvest attacks look like?
Ralf Hildebrandt
> I haven't actually witnessed any. I was talking to a friend who said their
> spam filtering solution prevents. In the latest spam article:
>
> http://slashdot.org/article.pl?sid=03/04/12/1442206&mode=thread&tid=111&tid=95
>
> They talk about
>
> a...@domain.com
> a...@domain.com
> a...@domain.com
>
> etc... connections just attempted RCPT_TO headers.
Use a low smtpd_hard_error_limit
> Is there a way to limit the number of connections a certain IP is allowed
> in a 5 (10, 30, 60) minute period
Use the rate limiting facilities of your OS (iptables)
--
Ralf Hildebrandt Ralf.Hil...@charite.de
my current spamtrap partmap...@charite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
You step in the stream,
But the water has moved on.
This page is not here.
Roger Marquis
> > How does one go about preventing malicious spammers out there from
> > doing directory harvest attacks against a Postfix server.
Try AIDS. Not the biological kind, Application Intrusion Detection
Software. Here's one generic script that nullroutes IPs and sends
an email to the sysadmin after too many rejects. I recommend using
host-based firewall software (ipfw, ipchains, sunscreen, etc.)
rather than a null route but either will work.
>#!/bin/sh -
>PAGE=abuse@examplecom,noc-...@example.com
>MAILTO=ab...@example.com
>LOOKFOR="reject:"
>OK='(stat=Deferred|timeout|timed.out|ay=bounce@localh|Domain.blocked|192.168.9|my_other_ips)'
>LOGS="/var/log/mail*"
>MAXBOUNCES=85
>MINBOUNCES=35
>DEBUG=no
>TMP=/tmp/.cksmtprej.$$
>PATH=/usr/ucb:/bin:/usr/bin:/sbin:/usr/sbin
>LOGDATE="`date|awk '{printf "%3s%3s", $2, $3}'`"
>
>grep -h "^${LOGDATE}" $LOGS | egrep $LOOKFOR | egrep -v $OK > $TMP
>for ip in `cat $TMP | sed -e 's/^.*\[.*.\[//' -e 's/].*$//' -e '/^[^1-9]/d' | sort -u` ; do
> BOUNCES="`grep $ip $TMP 2>/dev/null | wc -l | awk '{print $1}'`"
> if [ "$BOUNCES" -gt $MAXBOUNCES ] && [ "`netstat -rn | grep $ip`" = "" ]; then
> if [ "$DEBUG" = yes ] || [ "$DEBUG" = y ]; then
> echo " $ip would be blackholed after $BOUNCES bounces"
> else
> route add $ip localhost 1>/dev/null 2>/dev/null
> mail -s "$ip blackholed after $BOUNCES bounces" $PAGE < /dev/null
> grep -h "$ip" $TMP | mail -s "$ip blackholed after $BOUNCES bounces" $MAILTO
> logger -p local4.info "$ip blackholed after $BOUNCES email bounces"
> fi
> elif [ "$BOUNCES" -gt $MINBOUNCES ] && [ "`netstat -rn | grep $ip`" = "" ]; then
> #### mail notice only, don't page unless $MAXBOUNCES ####
> if [ "$DEBUG" = yes ] || [ "$DEBUG" = y ]; then
> echo " $ip would be blackholed after $BOUNCES bounces"
> else
> route add $ip localhost 1>/dev/null 2>/dev/null
> grep -h "$ip" $TMP | mail -s "$ip blackholed after $BOUNCES bounces" $MAILTO
> logger -p local4.info "$ip blackholed after $BOUNCES email bounces"
> fi
> fi
>done
>rm -f $TMP
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
Ralf Hildebrandt
> Try AIDS. Not the biological kind, Application Intrusion Detection
> Software. Here's one generic script that nullroutes IPs and sends
> an email to the sysadmin after too many rejects. I recommend using
> host-based firewall software (ipfw, ipchains, sunscreen, etc.)
> rather than a null route but either will work.
Uh, could you send that as attachment?
--
Ralf Hildebrandt Ralf.Hil...@charite.de
my current spamtrap partmap...@charite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
"The percentage of users running Windows NT Workstation 4.0 whose PCs
stopped working more than once a month was less than half that of Windows
95 users."-- microsoft.com/ntworkstation/overview/Reliability/Highest.asp
Roger Marquis
>>Here's one generic script that nullroutes IPs and sends
>>an email to the sysadmin after too many rejects. I recommend using
>>host-based firewall software (ipfw, ipchains, sunscreen, etc.)
>>rather than a null route but either will work.
>
>Uh, could you send that as attachment?
In case postfix-users doesn't accept attachments I've put it on the
web at <http://www.roble.com/docs/cksmtprej>. Recommended usage
is out of the root crontab, every 5 to 60 minutes.
Do take care to watch the results. It can falsely nullroute MXs
with serious but occasionally transient DNS errors. You'll want
to fix those with "route delete <ip> localhost" and by whitelisting
(see OK=). In actual usage this sort of false positive is very
rare. As always YMMV.
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
PS. Just received this timely example of the script's filter report,
a dictionary attack from a bellsouth DSL customer listed by the
infamous spamcop RBL:
>From ro...@victim.com Mon Apr 14 10:19:35 2003
>Date: Mon, 14 Apr 2003 09:46:01 -0700 (PDT)
>From: Super-User <ro...@victim.com>
>To: ab...@victim.com
>Subject: 68.153.178.222 filtered after 36 bounces
>
>Apr 14 06:43:50 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<bxab...@cranfield.ac.uk> to=<jsm...@victim.com> proto=SMTP helo=<cranfield.ac.uk>
>Apr 14 06:43:50 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<uzic...@crnvma.cern.ch> to=<ra...@victim.com> proto=SMTP helo=<crnvma.cern.ch>
>Apr 14 06:43:52 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<uzic...@crnvma.cern.ch> to=<raym...@victim.com> proto=SMTP helo=<crnvma.cern.ch>
>Apr 14 06:43:52 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<bxab...@cranfield.ac.uk> to=<ju...@victim.com> proto=SMTP helo=<cranfield.ac.uk>
>Apr 14 06:43:54 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<bxab...@cranfield.ac.uk> to=<leea...@victim.com> proto=SMTP helo=<cranfield.ac.uk>
>Apr 14 06:43:55 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<uzic...@crnvma.cern.ch> to=<rbs...@victim.com> proto=SMTP helo=<crnvma.cern.ch>
>Apr 14 06:43:59 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<bxab...@cranfield.ac.uk> to=<jsm...@victim.com> proto=SMTP helo=<cranfield.ac.uk>
>Apr 14 06:44:00 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<bxab...@cranfield.ac.uk> to=<ju...@victim.com> proto=SMTP helo=<cranfield.ac.uk>
>Apr 14 06:44:00 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<uzic...@crnvma.cern.ch> to=<ra...@victim.com> proto=SMTP helo=<crnvma.cern.ch>
>Apr 14 06:44:02 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<bxab...@cranfield.ac.uk> to=<leea...@victim.com> proto=SMTP helo=<cranfield.ac.uk>
>Apr 14 06:44:02 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<uzic...@crnvma.cern.ch> to=<raym...@victim.com> proto=SMTP helo=<crnvma.cern.ch>
>Apr 14 06:44:04 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<uzic...@crnvma.cern.ch> to=<rbs...@victim.com> proto=SMTP helo=<crnvma.cern.ch>
>Apr 14 06:44:10 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<bxab...@cranfield.ac.uk> to=<jsm...@victim.com> proto=SMTP helo=<cranfield.ac.uk>
>Apr 14 06:44:12 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<bxab...@cranfield.ac.uk> to=<ju...@victim.com> proto=SMTP helo=<cranfield.ac.uk>
>Apr 14 06:44:12 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<uzic...@crnvma.cern.ch> to=<ra...@victim.com> proto=SMTP helo=<crnvma.cern.ch>
>Apr 14 06:44:14 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<bxab...@cranfield.ac.uk> to=<leea...@victim.com> proto=SMTP helo=<cranfield.ac.uk>
>Apr 14 06:44:14 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<uzic...@crnvma.cern.ch> to=<raym...@victim.com> proto=SMTP helo=<crnvma.cern.ch>
>Apr 14 06:44:18 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<uzic...@crnvma.cern.ch> to=<rbs...@victim.com> proto=SMTP helo=<crnvma.cern.ch>
>Apr 14 06:44:22 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<bxab...@cranfield.ac.uk> to=<jsm...@victim.com> proto=SMTP helo=<cranfield.ac.uk>
>Apr 14 06:44:24 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<bxab...@cranfield.ac.uk> to=<ju...@victim.com> proto=SMTP helo=<cranfield.ac.uk>
>Apr 14 06:44:25 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<bxab...@cranfield.ac.uk> to=<leea...@victim.com> proto=SMTP helo=<cranfield.ac.uk>
>Apr 14 06:44:26 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<uzic...@crnvma.cern.ch> to=<ra...@victim.com> proto=SMTP helo=<crnvma.cern.ch>
>Apr 14 06:44:28 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<uzic...@crnvma.cern.ch> to=<raym...@victim.com> proto=SMTP helo=<crnvma.cern.ch>
>Apr 14 06:44:29 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<uzic...@crnvma.cern.ch> to=<rbs...@victim.com> proto=SMTP helo=<crnvma.cern.ch>
>Apr 14 08:53:22 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<vdeh...@dsnet.it> to=<a...@victim.com> proto=SMTP helo=<dsnet.it>
>Apr 14 08:53:24 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<vdeh...@dsnet.it> to=<az...@victim.com> proto=SMTP helo=<dsnet.it>
>Apr 14 08:53:26 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<vdeh...@dsnet.it> to=<b...@victim.com> proto=SMTP helo=<dsnet.it>
>Apr 14 08:53:32 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<vdeh...@dsnet.it> to=<a...@victim.com> proto=SMTP helo=<dsnet.it>
>Apr 14 08:53:34 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<vdeh...@dsnet.it> to=<az...@victim.com> proto=SMTP helo=<dsnet.it>
>Apr 14 08:53:36 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<vdeh...@dsnet.it> to=<b...@victim.com> proto=SMTP helo=<dsnet.it>
>Apr 14 08:53:43 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<vdeh...@dsnet.it> to=<a...@victim.com> proto=SMTP helo=<dsnet.it>
>Apr 14 08:53:47 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<vdeh...@dsnet.it> to=<az...@victim.com> proto=SMTP helo=<dsnet.it>
>Apr 14 08:53:49 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<vdeh...@dsnet.it> to=<b...@victim.com> proto=SMTP helo=<dsnet.it>
>Apr 14 08:54:08 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<vdeh...@dsnet.it> to=<a...@victim.com> proto=SMTP helo=<dsnet.it>
>Apr 14 08:54:10 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<vdeh...@dsnet.it> to=<az...@victim.com> proto=SMTP helo=<dsnet.it>
>Apr 14 08:54:14 PDT reject: RCPT from adsl-068-153-178-222.sip.mia.bellsouth.net[68.153.178.222]: 554 Service unavailable; Client host [68.153.178.222] blocked using bl.spamcop.net; Blocked - see http://spamcop.net/bl.shtml?68.153.178.222; from=<vdeh...@dsnet.it> to=<b...@victim.com> proto=SMTP helo=<dsnet.it>