[63805] in North American Network Operators' Group
Re: New mail blocks result of Ralsky's latest attacks?
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Fri Oct 10 11:26:20 2003
Date: Fri, 10 Oct 2003 20:47:51 +0530
From: Suresh Ramasubramanian <suresh@outblaze.com>
To: Bob German <bobgerman@irides.com>
Cc: nanog@merit.edu
In-Reply-To: <00f901c38f3f$255e3b30$2001a8c0@potomacdomain.com>
Errors-To: owner-nanog-outgoing@merit.edu
Bob German writes on 10/10/2003 8:29 PM:
> A colleague informed me this morning that Alan Ralsky is doing
> widespread bruteforce attacks on SMTP AUTH, and they are succeeding,
> mainly because it's quick, painless (for him), and servers and IDS
> signatures don't generally offer protection against them.
>
> Could this be why everyone's locking up their mail servers all of a sudden?
>
> Does anyone know of a way to stop them?
Set up header checks in sendmail / postfix to block all mail with
Received: headers showing Ralsky IPs. PCRE header checks in postfix
would be like -
/^Received:.*(\[|\(|\s)211\.158\.[3456789]\d\.\d/ REJECT Ralsky from
cqnet.com.cn. See:
http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.[89]\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.1[01]\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.1[345]\d\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)219\.153\.1[45]\d\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.10\.57\.\d/ REJECT Ralsky from
cncgroup-hl. See:
http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
srs (yes, this is a rather expensive set of checks)
--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations
