Slashdot Mirror

← Back to Stories (view on slashdot.org)

SPAM - Stopping Rumpelstiltskin Attacks?

Posted by Cliff on from the errecting-more-barriers-for-SPAM dept.

WaldoJ asks: "I often see spammers connecting to my mail servers and attempting to send mail to a series of common first names, usually a dozen or two at a time. A few get through, but most don't, and it's up to me to skim through my logs and manually block their IPs, since they'll inevitably return later on if I don't. Has anybody written a program to halt Rumpelstiltskin attacks after X failed addresses? Or, better yet, one that also automatically adds their IP to Sendmail's access database to block them from returning?"

10 of 20 comments (clear)

  1. Add another mail server by shagster · · Score: 3

    The best way I found to stop this is to always have two mail servers. One that users use that only allows SMTP AUTH to send mail and one for relaying to that server. Yes, you have two servers, but the front one only stores and forwards. You can then add a bit more checking (virus scanning, type checking, spam check) without effect your users server. Usually I sync up the user database on the bankend server to virtusers on the front end and reject anything that isn't in virtusers. The front machine my get beat on a bit, but atleast the mail that is getting through to the users is valid emails.
    Then just write a script that monitors the sendmail logs of many rejects and add that IP address to your access file, blocking it of course.

  2. Re:Open Relays?? by TBone · · Score: 2

    mail to a series of common first names, usually a dozen or two...

    This implies to me that they are delivering to local users, since someone wouldn't be trying to run usernames on a relay server, they would just be dumping mail, and the methods for blocking relays have been, and still are, very readily available. Not once does he mention 'relaying' despite the fact that he knows what he's talking about in his last few sentences.

    --

    This space for rent. Call 1-800-STEAK4U

  3. Re:Auto-block idea by waldoj · · Score: 2

    That's a wonderful idea. It's somewhat counter-intuitive, but quite helpful. I'll run a quick filter on my logs and figure out what the most common first name being tried is. Then I'll set up procmail to block the user.

    Not the ideal solution, but an excellent one none the less.

    -Waldo

  4. Re:Open Relays?? by waldoj · · Score: 3

    Well, I'll say it explicitly now: this is mail to local users. You're right, it would be stupid of me to permit relaying so, of course, I don't allow it. If my server is example.com, I would see attempts to send mail that look like this:

    david@example.com
    dan@example.com
    mike@example.com
    bill@example.com

    And so on. It really bugs me.

    Waldo

  5. Auto-block idea by Black+Perl · · Score: 2
    Hmm... how about this:

    Pick a common name that is NOT a valid user on your system (perhaps Aaron, since that may be one of the first they try). Set up a filter that blocks the sender of any mail to that name.

    --
    bp
  6. Re:Open Relays?? by mindstrm · · Score: 2

    Well... they allow outside connections so yuor users can receive mail. They aren't talking about someone relaying off your server, we're talking about someone simply trying every common username AT your server, to try to deliver mail to your users.

  7. Re:"Rumpelstiltskin" by remande · · Score: 2

    Of course, that wouldn't work, because your firstborn child is already given away as part of the Microsoft EULA.

    --

    --The basis of all love is respect

  8. RBL by jfunk · · Score: 2

    Just use the RBL.

    I had this kind of attack done to me and I set up RBL in Sendmail (in SuSE, simply uncomment a few lines in /etc/mail/linux.mc and regenerate your sendmail.cf).

    Haven't had a problem since, and not one spam has gotten through since.

    Somewhat related: My RoadRunner account gets very little spam, maybe 2 or 3 a week, despite my publishing the address everywhere. The account for my local ISP (yes, I have RoadRunner in a different city. They let me host websites) gets a lot more spam, like 10 a week, despite my never having given it out ever. I just use it for getting service messages.

    It seems that RoadRunner has some decent methods for preventing spam, but I don't know what they are. I wish every ISP used the RBL...

  9. you could block dial up users by toast0 · · Score: 3

    by using the MAPS Dial-up User List

    assuming the spammers are using dialup this would force them to use a relay server (that is not listed as a dial up ip) to get mail to you, which most legitimate users mailing you would allready be doing.

    of course if they use an open relay you're back to square one, but this is a decent first step.

    --
    Need a Catering Connection
  10. have you seen this? by crovax · · Score: 3
    http://slashdot.org/article.pl?sid=01/04/19/041120 1&mode=flat

    --
    Spelling by m-w.com.