Is there a way to listen on port 25 for repeated dictionary attacks to harvest email address and blacklist that Ip with shorewall? Thanks, Mike
Mike Lander wrote:> Is there a way to listen on port 25 for repeated dictionary attacks to > harvest email > address and blacklist that Ip with shorewall?You would need to monitor the MTA''s log for signs of a dictionary attack then update Shorewall''s blacklist(s) using a script. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
excuse me Mike but IMHO SMTP security has nothing to do with shorewall. but maybe this will be useful http://slett.net/spam-filtering-for-mx/smtpchecks.html bye. On Wed, 9 Feb 2005 10:42:01 -0800, Mike Lander <landers@lanlinecomputers.com> wrote:> Is there a way to listen on port 25 for repeated dictionary attacks to > harvest email > address and blacklist that Ip with shorewall? > > Thanks, > > Mike > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Tom Eastep wrote on 09/02/2005 16:56:01:> Mike Lander wrote: > > Is there a way to listen on port 25 for repeated dictionary attacks to > > harvest email > > address and blacklist that Ip with shorewall? > > You would need to monitor the MTA''s log for signs of a dictionary attack > then update Shorewall''s blacklist(s) using a script. >I had a couple of dictionary attacks last year of people trying to harvest email addresses. In my case, I inserted a rule in my external MX to cancel any connection with more than 30 local recipients. In my case, this is not a problem and in a year with this rule enabled, no client complained (or even realized there was such a rule). cheers, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
> excuse me Mike but IMHO SMTP security has nothing to do with shorewall.Quite the contrary in my opinion, the best place to drop such a connection would be at your Firewall as I am trying to reduce the bandwidth that spammers use to harvest email addresses. Mike
> Tom Eastep wrote on 09/02/2005 16:56:01: > >> Mike Lander wrote: >> > Is there a way to listen on port 25 for repeated dictionary attacks to >> > harvest email >> > address and blacklist that Ip with shorewall? >> >> You would need to monitor the MTA''s log for signs of a dictionary attack >> then update Shorewall''s blacklist(s) using a script. >> > I had a couple of dictionary attacks last year of people trying to harvest > email addresses. In my case, I inserted a rule in my external MX to > cancel any connection with more than 30 local recipients. In my case, > this is not a problem and in a year with this rule enabled, no client > complained (or even realized there was such a rule). > FAQ: http://www.shorewall.net/FAQ.htmAre you referring to your dns zone record when you say external MX. Could I contact you off the list about this..? I believe this is off scope on the list. Thanks, Mike
Snort should handle that, though I have not tried it. Snort + flexresp should be the solution. Jan Mike Lander wrote:> Is there a way to listen on port 25 for repeated dictionary attacks to > harvest email > address and blacklist that Ip with shorewall? > > > Thanks, > > Mike > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
-----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Mike Lander Sent: Thursday, 10 February 2005 5:05 AM To: Cristian Rodriguez; Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Harvesting and Dictionary attacks> excuse me Mike but IMHO SMTP security has nothing to do with shorewall.Quite the contrary in my opinion, the best place to drop such a connection would be at your Firewall as I am trying to reduce the bandwidth that spammers use to harvest email addresses. I must say I agree here, SMTP security is for "first timers offenders" for persistent abusers there is "DROP", and that is properly done at the firewall. T
Terry H. Gilsenan wrote:> >>excuse me Mike but IMHO SMTP security has nothing to do with shorewall. > > > Quite the contrary in my opinion, the best place to drop such a > connection would be at your > Firewall as I am trying to reduce the bandwidth that spammers use to harvest > > email addresses. > > I must say I agree here, SMTP security is for "first timers offenders" for > persistent abusers there is "DROP", and that is properly done at the > firewall.I also agree. I monitor the output of pflogsumm (Posfix log reporting tool that mails me a daily report), and obvious offenders get added to my TCP port 25 blacklist. I do that as a manual process. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wed, 09 Feb 2005 16:20:47 -0800, Tom Eastep <teastep@shorewall.net> wrote:> Terry H. Gilsenan wrote: > > > > >>excuse me Mike but IMHO SMTP security has nothing to do with shorewall. > > > > > > Quite the contrary in my opinion, the best place to drop such a > > connection would be at your > > Firewall as I am trying to reduce the bandwidth that spammers use to harvest > > > > email addresses. > > > > I must say I agree here, SMTP security is for "first timers offenders" for > > persistent abusers there is "DROP", and that is properly done at the > > firewall. > > I also agree. I monitor the output of pflogsumm (Posfix log reporting > tool that mails me a daily report), and obvious offenders get added to > my TCP port 25 blacklist. I do that as a manual process. > > -TomTom what happend with the legitamate email coming from the "sometimes bad" host? go nowhere?(of course is rejected but..) some kind of control about the quantity of incoming mail(per session) from a host seems to be a bettter solution...or less radical than "DROP" :) IMHO running an SMTP server is sometimes a big PITA. :P
Cristian Rodriguez wrote:> On Wed, 09 Feb 2005 16:20:47 -0800, Tom Eastep <teastep@shorewall.net> wrote: > >>Terry H. Gilsenan wrote: >> >> >>>>excuse me Mike but IMHO SMTP security has nothing to do with shorewall. >>> >>> >>> Quite the contrary in my opinion, the best place to drop such a >>>connection would be at your >>>Firewall as I am trying to reduce the bandwidth that spammers use to harvest >>> >>>email addresses. >>> >>>I must say I agree here, SMTP security is for "first timers offenders" for >>>persistent abusers there is "DROP", and that is properly done at the >>>firewall. >> >>I also agree. I monitor the output of pflogsumm (Posfix log reporting >>tool that mails me a daily report), and obvious offenders get added to >>my TCP port 25 blacklist. I do that as a manual process. >> >>-Tom > > > Tom what happend with the legitamate email coming from the "sometimes bad" host? > go nowhere?(of course is rejected but..)Trust me -- the addresses I blacklist have never sent one piece of legitimate email.> IMHO running an SMTP server is sometimes a big PITA. :PDefinitely. I forward all outgoing email through my ISP because sending it directly is just too much hassle. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>>>Terry H. Gilsenan wrote: >>> >>> >>>>>excuse me Mike but IMHO SMTP security has nothing to do with shorewall. >>>> >>>> >>>> Quite the contrary in my opinion, the best place to drop such a >>>>connection would be at your >>>>Firewall as I am trying to reduce the bandwidth that spammers use to >>>>harvest >>>> >>>>email addresses. >>>> >>>>I must say I agree here, SMTP security is for "first timers offenders" >>>>for >>>>persistent abusers there is "DROP", and that is properly done at the >>>>firewall. >>> >>>I also agree. I monitor the output of pflogsumm (Posfix log reporting >>>tool that mails me a daily report), and obvious offenders get added to >>>my TCP port 25 blacklist. I do that as a manual process. >>> >>>-Tom >> >> >> Tom what happend with the legitamate email coming from the "sometimes >> bad" host? >> go nowhere?(of course is rejected but..) > > Trust me -- the addresses I blacklist have never sent one piece of > legitimate email. > > >> IMHO running an SMTP server is sometimes a big PITA. :P > > Definitely. I forward all outgoing email through my ISP because sending > it directly is just too much hassle. > > -TomAfter Tom''s Post I realized it is not that much trouble to just pull the IP''s out of the mail logs and blacklist them in shorewall/blacklist. But Tom gave me an idea, since I use I-mail, I found a log analyzer to make things easier, that way I can add a bunch of IP''s at once. It would be neat if you could do this dynamically, but it would require some coding. Thank you, Mike
Mike Lander wrote:>>>> Terry H. Gilsenan wrote: >>>> >>>> >>>>>> excuse me Mike but IMHO SMTP security has nothing to do with >>>>>> shorewall. >>>>> >>>>> >>>>> >>>>> Quite the contrary in my opinion, the best place to drop such a >>>>> connection would be at your >>>>> Firewall as I am trying to reduce the bandwidth that spammers use >>>>> to harvest >>>>> >>>>> email addresses. >>>>> >>>>> I must say I agree here, SMTP security is for "first timers >>>>> offenders" for >>>>> persistent abusers there is "DROP", and that is properly done at the >>>>> firewall. >>>> >>>> >>>> I also agree. I monitor the output of pflogsumm (Posfix log reporting >>>> tool that mails me a daily report), and obvious offenders get added to >>>> my TCP port 25 blacklist. I do that as a manual process. >>>> >>>> -Tom >>> >>> >>> >>> Tom what happend with the legitamate email coming from the "sometimes >>> bad" host? >>> go nowhere?(of course is rejected but..) >> >> >> Trust me -- the addresses I blacklist have never sent one piece of >> legitimate email. >> >> >>> IMHO running an SMTP server is sometimes a big PITA. :P >> >> >> Definitely. I forward all outgoing email through my ISP because sending >> it directly is just too much hassle. >> >> -Tom > > > > After Tom''s Post I realized it is not that much trouble to just pull > the IP''s out of the mail > logs and blacklist them in shorewall/blacklist. But Tom gave me an idea, > since I use I-mail, > I found a log analyzer to make things easier, that way I can add a bunch > of IP''s at once. > It would be neat if you could do this dynamically, but it would > require some coding. >And it is code that I have no interest in writing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key