[Dshield] SASL Hacks & Swatch Alternative

Tony Earnshaw tonye at billy.demon.nl
Thu Mar 3 12:57:37 GMT 2005


David Cary Hart:

> We are continuing to get attempts to relay mail by hacking at SASL
> authentication. The problem is solved with strong pwds and swatch watching
> maillog for failed attempts and then executing a script to immediately add a
> tarpit rule to IPTables.
>
> That said, swatch is a bit messy and, possibly, a tad unstable. I've
> googled, freshmeated and sourceforged to death without success. Any
> suggestions? I need a log watcher that can execute a script based upon pcre in
> real time.

I don't suppose you've changed your MTA from Postfix ;)

Can you track down the offending IPs to cidr ranges?

Example: 'jwhois 211.200.11.3' (get jwhois if you don't have it), get a handle
on the IP range or cidr-delimited range. Use Liviu Daia's Perl script (posted
to the Postfix list, I can let you have a copy) or aggis
(http://www.lafferty.ca/software/aggis) to break down a range into a
cidr-limited range or simply use the cidr one given. Then block that with a
Postfix cidr smtpd_sender_restrictions rule.

It works well with a lowish-volume site that I administer; I've got dozens of
ranges that I block against proven spam and virus merchants; because they're
all "rogue" ranges (Asia-APNIC, DUL, home DSL etc) ranges, this works well in
combination with 4 or 5 carefully-selected RBLs, and I don't even have to run
anti-spam stuff.

Best,

--Tonni

--
mail: tonye at billy.demon.nl
http://www.billy.demon.nl






More information about the list mailing list