Stopping Rumpelstiltskin Attacks?

slack66 · 06-24-2004, 06:04 AM

now i know what going on inside my mail server.... i notice in my /var/log/maillog the ff:

Jun 24 15:01:39 mail sm-mta[1070]: i5O71cK0001070: <douglas@mydomain.com>... User unknown
Jun 24 15:01:39 mail sm-mta[1070]: i5O71cK0001070: <elliott@mydomain.com>... User unknown
Jun 24 15:01:40 mail sm-mta[1070]: i5O71cK0001070: <fleming@mydomain.com>... User unknown
Jun 24 15:01:40 mail sm-mta[1070]: i5O71cK0001070: <fletcher@mydomain.com>... User unknown
Jun 24 15:01:41 mail sm-mta[1070]: i5O71cK0001070: from=<claribelstrobel@hotmail.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=HOST20917525277.hosts.lincon.net [209.175.252.77] (may be forged)
Jun 24 15:01:41 mail sm-mta[1070]: i5O71cK1001070: <graves@mydomain.com>... User unknown
Jun 24 15:01:42 mail sm-mta[1070]: i5O71cK1001070: <hammond@mydomain.com>... User unknown
Jun 24 15:01:42 mail sm-mta[1070]: i5O71cK1001070: from=<raguelyamat@logo2mob.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=HOST20917525277.hosts.lincon.net [209.175.252.77] (may be forged)

i been attack!!! By so called "Rumpelstiltskin" i read it in one of the forum but unfortunately they only discuss the attack not the prevention

or the
counter measure. pls help me...its for weeks now went the attack occur in my server. iam affraid it will halt my mailserver

chort · 06-24-2004, 02:29 PM

That's the first time I've seen it called anything other than "Directory Harvesting Attack", which is what the e-mail security industry calls it. With Sendmail alone there isn't really anything you can do, but there are a few steps you could take.

Use iptables to rate-limit the amount of connections to port 25/TCP from a single IP within a certain amount of time.

Write a script to check your mail log for a certain number of "User unknown" errors in a certain period of time and display the offending IP address (so you can block it, either with Sendmail relay restrictions or with iptables). Note that you'll have to turn up your level of logging detail in Sendmail to get more information displayed about each connection attempt.

slack66 · 06-24-2004, 10:40 PM

hmm?? sorry iam not too good in linux

can you pls give me example of how to limit the rate of a single ip? it will be a great help for me

pls

ppuru · 06-24-2004, 10:45 PM

You can edit sendmail.cf and set

PrivacyOptions=goaway

This will stop the EXPN and VRFY probes.

slack66 · 06-25-2004, 04:51 AM

hi! ppuru

i already do that

but unfortunatelly it did not stop the guessing
do you think if i enable the dbl feature in sendmail.mc it will help?

ppuru · 06-25-2004, 05:10 AM

you cannot stop someone from connecting to port 25 on your system unless you specifically want to exchange mails only with a few known servers.

You may want to install anti-spam software like spamassassin.

chort · 06-25-2004, 11:50 AM

There's no way to stop someone from guessing by using the RCPT TO command, that's just the way e-mail works. Your options are to limit the rate of connections and/or examine your logs for harvesting attacks and block those IPs.

I see that Sendmail 8.13.0 is out now and has rate limiting and message quarantining. Of course, I would recommend using Postfix rather than Sendmail. for reasons of speed, simplicity, and security.