[Dshield] Rumplestiltskin Attack

Tom Willett tomw at pigstye.net
Tue Oct 12 16:48:36 GMT 2004

I run a small web and mail server -- three domains about 15 mail users. 
Because I grew tired to the continual hack attempts on my server, a couple 
of weeks ago I started creating some scripts that scanned my web and mail 
logs for common attacks.  When I spotted these attacks I posted the ip of 
the attacker and their attack attempt to a public web page.

This made the email harvesters who query mail servers for email names mad 
apparently because the frequency of the attacks increased dramatically.  
This was starting to overload my mail server so I added a script to block 
the ips at the firewall.  Lest you think I am blocking legitimate attempts 
to transfer mail, the attacks are looking for email addresses with names 
like nppuvlbeyhud or vdkbhqbo, not even dictionary names.

To make the story short the Rumplestiltskin or Dictionary attack has been 
going for over a week.  The probes come about every 10 seconds -- I have 
collected over 2000 different ips of mail servers that are at least open 
relays, most probably have been compromised in other ways.

I have configured the mail server to withstand the attack so far by 
throttling back the number of connections per minute allowed per ip and the 
number of successive 'User unknown's allowed.

You can see my list of compromised mail servers here:


My list of webserver attacks here:


My complete list of spam/virus and mailserver attacks here:


You can find a little more information and longer descriptions and links to 
these pages here:


Tom Willett
tomw AT pigstye.net  (As if that little bit of obfustication will help).

More information about the list mailing list