[Dshield] Rumplestiltskin Attack
tomw at pigstye.net
Tue Oct 12 16:48:36 GMT 2004
I run a small web and mail server -- three domains about 15 mail users.
Because I grew tired to the continual hack attempts on my server, a couple
of weeks ago I started creating some scripts that scanned my web and mail
logs for common attacks. When I spotted these attacks I posted the ip of
the attacker and their attack attempt to a public web page.
This made the email harvesters who query mail servers for email names mad
apparently because the frequency of the attacks increased dramatically.
This was starting to overload my mail server so I added a script to block
the ips at the firewall. Lest you think I am blocking legitimate attempts
to transfer mail, the attacks are looking for email addresses with names
like nppuvlbeyhud or vdkbhqbo, not even dictionary names.
To make the story short the Rumplestiltskin or Dictionary attack has been
going for over a week. The probes come about every 10 seconds -- I have
collected over 2000 different ips of mail servers that are at least open
relays, most probably have been compromised in other ways.
I have configured the mail server to withstand the attack so far by
throttling back the number of connections per minute allowed per ip and the
number of successive 'User unknown's allowed.
You can see my list of compromised mail servers here:
My list of webserver attacks here:
My complete list of spam/virus and mailserver attacks here:
You can find a little more information and longer descriptions and links to
these pages here:
tomw AT pigstye.net (As if that little bit of obfustication will help).
More information about the list