LinkBack URL
About LinkBacksBFD-0.6 has rules for exim and pure-ftpd
Does this mean that Dictionary Attack ACL can be removed from Exim?
Anup
bfd-0.6
BFD-0.6 has rules for exim and pure-ftpd
Does this mean that Dictionary Attack ACL can be removed from Exim?
Anup
well it looks like BFD does only a basic check for dictionary attacks. and it gives them 20 chances by default. far too many IMO. but I understand why it is set so high, and in the end it's probably a good thing for those using Chirpy's dictionary ACL
while it may work, I feel that Chirpy's dictionary ACL offers a much more useful set of functions - mainly clearing down the blocked ip list on a scheduled basis, whereas BFD will simply add that IP to deny_hosts.
Personally, I don't like the method used with BFD for the following reasons:
1. If you get a lot of spam through dictionary attacks, then your iptables will become huge (since zombie PC's are usually used, so it's not uncommon to 10's of thousands of separate IP addresses coming in). This could cause serious overhead for all of your network traffic.
2. It doesn't provide a regular method of purging, so innocent mistakes will be permanently blocked.
3. It not only blocks port 25 access, but access to the whole server (pretty pointless if it's a spammer).
4. You have no way to distinguish IP addresses blocked for RCPT failures and those added to your iptables forewall for any other misdemeanor, which makes 1. very diffuclt to script.
So, I would recommend not using it and to continue with the dictionary attack which provides a method to clear down IP addresses regularly and only imposes a small overhead and only for mail.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
I am sure i missed on the auto purging since never reeally checked for updated features on Dictionary Attack ACL ever since i had it going.
Fine what you say was there on my mind wrt complete blockage and had been carefully following the BFD mails. So in order to not use BFD's rule, would deleting rules/exim be fine?
Thanks
Anup
Yup, just delete the file. It simply picks up whatever files that you do have within the rules/ subdirectory of BFD.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Thanks. I just update the Dictionary Attack ACL and deleted the exim rule.
If there could be something similar for high spam IP's like following:
One IP starts sending high score SPAM mails (say i reject at 20+)
Once more than 3/4/5 (configurable) are rejected then just like Dictionary Attack ACL, the IP is denied connection for 1 hour (or maybe less -- again configurable). This could perhaps reduce the load on SA. Just a thought, i could just be sounding wierd though.
Thanks
Anup
Well, with the dictionary attack ACL in the place where I have indicated, emails from an identified source don't get anywhere near SA - the connection to the offending server is dropped before any of the email DATA hits the server for the duration that it is in /etc/exim_deny - if they re-offend after an hour, they'll be blocked again for another hour.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Agreed. Actually i meant following scenario:
(1) IP is Not A Dictionary Attack IP.
(2) It Sends Out High Scoring SPAM
Recepient domain in question Has "Catchall" type of setup.
With mail passing through (1), it gets rejected at (2) (20+ score) but after causing loads. Say this IP sent our "n" mails in short burst directed towards catcahll account type of setup.
Now with such an IP have something similar to Dictionary Attack ACL to block this IP (High Spam Score) for configurable period of time.
Thanks
Anup
Ah! I understand. Hmmm, that's got me thinking...
All you'd need to do would be to append the offending IP address to /etc/exim_deny after doing the SA checks. Hmmm.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Yup. So that the same IP doesn't trigger SA again for the duration that it stays in exim_deny
Idea is that with a heavy traffic on SA enabled server, there is more legitimate mail that can be pushed
Thanks
Anup
The idea of exim_deny-ing mail sent from IPs where mail from the same IP was previously tagged as high scoring spam seems like the best idea I've heard of in a while.
If anyone could suggest a way of doing this I'm sure a lot of people could benefit from it. I wish I knew how . . .
Jonnathan@Chirpy is the person who can do it (or perhaps alreay done it and waiting for tests to complete before releasing). Just waiting
Anup
Yes, from the above I can almost hear the gears of Chirpy's brain working . . .Originally Posted by chirpy
It's on my todo list
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Reply With Quote