[CentOS] Re: Email dictionary attacks and firewall

Scott Silva ssilva at sgvwater.com
Wed Aug 16 17:44:24 UTC 2006


rado spake the following on 8/16/2006 3:49 AM:
> On Wed, 2006-08-16 at 05:49 -0400, John Hinton wrote:
>> I keep seeing 'Joe Average compromised computer on broadband' being used 
>> to do email dictionary attacks on our systems. Seems I always have 
>> several domains going through these. One in particular has been in the 
>> 'a-' list for weeks with about 20,000 attempts per day from various 
>> systems. Yeah, I do have a system which blocks email from these systems 
>> for a period of time after 3 bad email address attempts.... throttling...
>>
>> Anyway, this brought to mind.... Joe Average! Joe Average buys a 
>> broadband connection, has someone hook up his computer.. talks to tech 
>> support about everything and eventually, an AV subscription dies or 
>> something and Joe just doesn't care or doesn't know how to deal with 
>> that. Meanwhile Joe's computer gets a virus allowing some baddy to start 
>> sending email. Joe notices his computer is getting a little slow.. but 
>> it's not bad enough to worry about.
>>
>> So, this made me start wondering about how to do something that makes 
>> Joe's computer so slow that he finally gives up and calls in tech 
>> support to fix the damned thing.
>>
>> I wonder if there is a way that a firewall rule could be written, that 
>> would let a trickle of the connection from Joe through, so as his 
>> dictionary attack gets backed up with a huge number of connections which 
>> are trickling through at such a slow rate, with maybe just enough delay 
>> built in to make it keep trying.... Basically making Joe's compromised 
>> computer useless.. and maybe he'd at least turn it off if it didn't lock 
>> up all by itself....
>>
>> It is so very sad that some providers don't monitor their own people. I 
>> see where comcast has now slid down to number 8 after holding the number 
>> one spot as the biggest spammer network for a very long time. Good for 
>> them! It seems the undisputed king of this world now is 
>> verizonbusiness.com.... bad bad very bad....
>>
>> Sorry.. yeah.. a bit off topic......
>>
>> John Hinton
Better would be a rule to forward their connection to a honeypot / tarpit box
that would do what you want ... tie up their connection for a while.


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!




More information about the CentOS mailing list