[CentOS] Email dictionary attacks and firewall

Wed Aug 16 13:04:37 UTC 2006
Steve Walsh - Nerdvana Hosting <steve at nerdvana.net.au>

Sounds like what you want is the TeerGrubing plugin for Exim script Marc 
Merlin from Google wrote. it sends a SMTP 451 back to the server for 
10-15 minutes, then closes the connection.

Apparently, he once held a connection open for 72 hours, then called the 
  guys ISP, who called the FBI, and it just went downhill from there.

More information can be gleened from his page at 
http://marc.merlins.org/linux/exim/sa.html

Steve

rado wrote:
> On Wed, 2006-08-16 at 05:49 -0400, John Hinton wrote:
>> I keep seeing 'Joe Average compromised computer on broadband' being used 
>> to do email dictionary attacks on our systems. Seems I always have 
>> several domains going through these. One in particular has been in the 
>> 'a-' list for weeks with about 20,000 attempts per day from various 
>> systems. Yeah, I do have a system which blocks email from these systems 
>> for a period of time after 3 bad email address attempts.... throttling...
>>
>> Anyway, this brought to mind.... Joe Average! Joe Average buys a 
>> broadband connection, has someone hook up his computer.. talks to tech 
>> support about everything and eventually, an AV subscription dies or 
>> something and Joe just doesn't care or doesn't know how to deal with 
>> that. Meanwhile Joe's computer gets a virus allowing some baddy to start 
>> sending email. Joe notices his computer is getting a little slow.. but 
>> it's not bad enough to worry about.
>>
>> So, this made me start wondering about how to do something that makes 
>> Joe's computer so slow that he finally gives up and calls in tech 
>> support to fix the damned thing.
>>
>> I wonder if there is a way that a firewall rule could be written, that 
>> would let a trickle of the connection from Joe through, so as his 
>> dictionary attack gets backed up with a huge number of connections which 
>> are trickling through at such a slow rate, with maybe just enough delay 
>> built in to make it keep trying.... Basically making Joe's compromised 
>> computer useless.. and maybe he'd at least turn it off if it didn't lock 
>> up all by itself....
>>
>> It is so very sad that some providers don't monitor their own people. I 
>> see where comcast has now slid down to number 8 after holding the number 
>> one spot as the biggest spammer network for a very long time. Good for 
>> them! It seems the undisputed king of this world now is 
>> verizonbusiness.com.... bad bad very bad....
>>
>> Sorry.. yeah.. a bit off topic......
>>
>> John Hinton
>> _______________________________________________
> Don't be sorry, John, I'm gettin pissed bout spam myself...I am thinking
> about coming up w/a way to somehow forward the spam msg back to who ever
> is relaying it 10 fold to get their attn! 
> 
> John Rose
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos