[CentOS] Re: Email dictionary attacks and firewall
Scott Silva
ssilva at sgvwater.com
Wed Aug 16 17:44:24 UTC 2006
rado spake the following on 8/16/2006 3:49 AM:
> On Wed, 2006-08-16 at 05:49 -0400, John Hinton wrote:
>> I keep seeing 'Joe Average compromised computer on broadband' being used
>> to do email dictionary attacks on our systems. Seems I always have
>> several domains going through these. One in particular has been in the
>> 'a-' list for weeks with about 20,000 attempts per day from various
>> systems. Yeah, I do have a system which blocks email from these systems
>> for a period of time after 3 bad email address attempts.... throttling...
>>
>> Anyway, this brought to mind.... Joe Average! Joe Average buys a
>> broadband connection, has someone hook up his computer.. talks to tech
>> support about everything and eventually, an AV subscription dies or
>> something and Joe just doesn't care or doesn't know how to deal with
>> that. Meanwhile Joe's computer gets a virus allowing some baddy to start
>> sending email. Joe notices his computer is getting a little slow.. but
>> it's not bad enough to worry about.
>>
>> So, this made me start wondering about how to do something that makes
>> Joe's computer so slow that he finally gives up and calls in tech
>> support to fix the damned thing.
>>
>> I wonder if there is a way that a firewall rule could be written, that
>> would let a trickle of the connection from Joe through, so as his
>> dictionary attack gets backed up with a huge number of connections which
>> are trickling through at such a slow rate, with maybe just enough delay
>> built in to make it keep trying.... Basically making Joe's compromised
>> computer useless.. and maybe he'd at least turn it off if it didn't lock
>> up all by itself....
>>
>> It is so very sad that some providers don't monitor their own people. I
>> see where comcast has now slid down to number 8 after holding the number
>> one spot as the biggest spammer network for a very long time. Good for
>> them! It seems the undisputed king of this world now is
>> verizonbusiness.com.... bad bad very bad....
>>
>> Sorry.. yeah.. a bit off topic......
>>
>> John Hinton
Better would be a rule to forward their connection to a honeypot / tarpit box
that would do what you want ... tie up their connection for a while.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
More information about the CentOS
mailing list