Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

dictionary attack defense?

2 views
Skip to first unread message

Your name

unread,
May 21, 2002, 2:10:52 PM5/21/02
to
We seem to be one of those targeted by a "dictionary attack", spammers
using words and then attaching them to our domain. Of course, they are
(almost) all non-existent users but they take up time and space.
I put in dnl(confBAD_RCPT_THROTTLE,3) but if it is helping , it is not
by much.

1: Does it make a difference where in cf file the BAD_RCPT_THROTTLE
is?

2: Is there a way to make the delay more than a second - say, a
minute?

3: Are there any other ways to prevent such "attacks" ?

Neil W Rickert

unread,
May 21, 2002, 10:03:17 PM5/21/02
to
catc...@www.com (Your name) writes:

>We seem to be one of those targeted by a "dictionary attack", spammers
>using words and then attaching them to our domain. Of course, they are
>(almost) all non-existent users but they take up time and space.
>I put in dnl(confBAD_RCPT_THROTTLE,3) but if it is helping , it is not
>by much.

I suggest blocking the site in your access map. That way the
get the identical answer ("Access denied") from every address
they try.

If they are doing this too often, consider a firewall rule
to block access at the packet level.

Deke Clinger

unread,
May 21, 2002, 10:18:20 PM5/21/02
to


Just so you know, if you put dnl at the beginning of a line in
a .mc file, the rest of that line is ignored.

As for what to do about this, see Neil's answer about using the access
map, or compile sendmail with tcpwrappers and add the attacking site to
your hosts.deny file.

Good luck,

-Deke

Your name

unread,
May 22, 2002, 12:56:04 PM5/22/02
to
Deke Clinger <d...@qualcomm.com> wrote in message news:<3CEAFFEC...@qualcomm.com>...

Whoo, did I get nervous there for a while. No, I didn't do
dnl(confBAD_RCPT_THROTTLE,3)
but did do:
define(`confBAD_RCPT_THROTTLE`,`3`)dnl

These barages seem to be coming from different ISP's. But i will try
checking my logs for "unknown users" and then putting the ip address
that shows in my ipchains reject.

Is there a way to change the "sleep" time for THROTTLE ?

Claus Aßmann

unread,
May 22, 2002, 1:30:03 PM5/22/02
to
Your name wrote:

> define(`confBAD_RCPT_THROTTLE`,`3`)dnl

This is wrong. See cf/README and man m4.

define(`confBAD_RCPT_THROTTLE',`3')dnl

> These barages seem to be coming from different ISP's. But i will try
> checking my logs for "unknown users" and then putting the ip address
> that shows in my ipchains reject.

> Is there a way to change the "sleep" time for THROTTLE ?

Patch the source code, sendmail/srvrsmtp.c

--
If you feel the urgent wish to send me a courtesy copy of a Usenet
posting, then make sure it's recognizable as such!
The FAQ: http://www.sendmail.org/faq/ Before you ask.

0 new messages