Thema: [MTA] Vornamen-Attacke
Einzelnen Beitrag anzeigen
Alt 14.04.2004, 12:54   #4
_m3
Inventar
 
Registriert seit: 24.09.2001
Beiträge: 7.335


Standard
Zitat:
slowing down spambots with an error tarpit

Spambots are often not well-behaved and rfc-compliant, so if you turn on strict checking, the spambots will frequently cause errors during the SMTP dialogue. Also, if they are trying a dictionary attack, and you do not have a wildcard alias, this will cause lots of unknown user errors.

If the spambot has exceeded the number of errors specified by the variable smtpd_soft_error_limit, it will sleep that many seconds, otherwise it will wait for smtpd_error_sleep_time before returning a [45]XX error code. (So smtpd_soft_error_limit should be greater than or equal to smtpd_error_sleep_time). And if the number of errors exceeds smtpd_hard_error_limit then Postfix disconnects and the spambot will have to reconnect. I set the sleep time long enough to cause the spambot to either time out or be killed by a frustrated spammer.

Spambots may also open multiple simultaneous connections in order to deliver massive quantities (or to do a fast dictionary attack), so for an MTA running only for personal use, I think it is good to also set default_process_limit to a low number, which will limit the number of simultaneous SMTP sessions. Here's what I use:

smtpd_error_sleep_time = 60
smtpd_soft_error_limit = 60
smtpd_hard_error_limit = 10
default_process_limit = 3

[Note that these particular settings work for my site that receives email for one user, but will probably cause unnecessary delays on larger sites. You might try shorter delays and larger process limits.]

This combination should be very effective against a dictionary attack, particularly if you don't have a wildcard alias (which is why I recommend against having one). After every unknown user error, the server will sleep for 60 seconds, and will disconnect after every 10 errors.

Spammers are hit and run artists. The quicker they can complete their spam run, the better for them as filters and blackhole listings go up very quickly these days. I think it helps to do what you can to slow them down as much as possible.
http://www.bagley.org/~doug/spam/postfix.shtml

Auch gut:
http://techrepublic.com.com/5100-631...l?tag=viewfull
____________________________________
Weiterhin zu finden auf http://martin.leyrer.priv.at , http://twitter.com/leyrer , http://www.debattierclub.net/ , http://www.tratschen.at/ und via Instant Messaging auf Jabber: m3 <ät> cargal.org .
_m3 ist offline   Mit Zitat antworten