how to protect against directory attack?
in [Postfix]
|
From: Victoriano Giralt on 22 Jun 2010 02:18 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 22/6/10 0:01, mouss wrote: > motty.cruz a �crit : >> Hello all, >> What is the best way to protect against directory attack? >> [snip] > > how about: don't care? > > > # postlog.pl > > Recipient unknown..................: 58.35 % > ... > > it's been so since a long time and the world didn't collapse here. If you manage to cut them before they hit any real address you avoid crud entering your user's mailboxes. We have a testing list with a funny familiar Spanish name (that is in dictionaries for sure) but it is not published anywhere and sends nothing to the outside world, and we are getting spam in the moderation queue of the thing! - -- Victoriano Giralt Systems Manager Central ICT Services University of Malaga SPAIN -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFMIFXIV6+mDjj1PTgRAxAWAKDIHRH5xP//ggjgPOm3E2+To84G3QCgqZYS zpelRamPnD7mQCSYlQC79W4= =wS31 -----END PGP SIGNATURE-----
From: Charles Marcus on 22 Jun 2010 06:54 On 2010-06-22 2:18 AM, Victoriano Giralt wrote: > If you manage to cut them before they hit any real address you avoid > crud entering your user's mailboxes. It's called recipient validation, and if you aren't doing it, you're doing it wrong. > We have a testing list with a funny familiar Spanish name (that is in > dictionaries for sure) but it is not published anywhere and sends > nothing to the outside world, and we are getting spam in the moderation > queue of the thing! So add a spam filter. Just because an address isn't published anywhere doesn't mean it won't be targeted.
From: Victoriano Giralt on 22 Jun 2010 08:47 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 22/6/10 12:54, Charles Marcus wrote: > On 2010-06-22 2:18 AM, Victoriano Giralt wrote: >> If you manage to cut them before they hit any real address you avoid >> crud entering your user's mailboxes. > > It's called recipient validation, and if you aren't doing it, you're > doing it wrong. We DO recipient validation. I'm talking about cutting off the client before they hit a good one. The point I was making is that if you use something like fail2ban that detect an IP address that is doing a dictionary attack, and block the connection you reduce the probability of finding a recipient that will get validated. > So add a spam filter. Just because an address isn't published anywhere > doesn't mean it won't be targeted. I know that, been doing email since '85. We are not allowed to filter mail (except viruses) by policy. So we need other anti spam meassures, once we accept mail we MUST deliver it (except for viruses). - -- Victoriano Giralt Systems Manager Central ICT Services University of Malaga SPAIN -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFMILDEV6+mDjj1PTgRA7z+AJ9im1gf2OjB8QAc04d1E75KeYy81gCfQYK4 bcEK8CuxTp5Vn2tVMIEHvPg= =Ueyp -----END PGP SIGNATURE-----
From: Charles Marcus on 22 Jun 2010 10:47 On 2010-06-22 8:47 AM, Victoriano Giralt wrote: > On 22/6/10 12:54, Charles Marcus wrote: >> On 2010-06-22 2:18 AM, Victoriano Giralt wrote: >>> If you manage to cut them before they hit any real address you avoid >>> crud entering your user's mailboxes. > We DO recipient validation. I'm talking about cutting off the client > before they hit a good one. The point I was making is that if you use > something like fail2ban that detect an IP address that is doing a > dictionary attack, and block the connection you reduce the probability > of finding a recipient that will get validated. Ahh... you are attempting to hide your valid recipients. Security through obscurity is a waste of time and resources imo. I use fail2ban, but only to block hack attempts... I don't care much about someone finding out who the valid recipients are, I'm much more concerned with someone trying to crack a password... > We are not allowed to filter mail (except viruses) by policy. So we > need other anti spam meassures, once we accept mail we MUST deliver > it (except for viruses). That's what I meant - add an after-queue filter and TAG+Deliver it. Use sieve to deliver it to a Spam folder if desired. -- Best regards, Charles
From: Victoriano Giralt on 22 Jun 2010 11:02 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 22/6/10 16:47, Charles Marcus wrote: >> We DO recipient validation. I'm talking about cutting off the client >> before they hit a good one. The point I was making is that if you use >> something like fail2ban that detect an IP address that is doing a >> dictionary attack, and block the connection you reduce the probability >> of finding a recipient that will get validated. > > Ahh... you are attempting to hide your valid recipients. Security > through obscurity is a waste of time and resources imo. No. I think I'm not making the point through. It is cler we are in the same boat, I also despise security by obscrity. > I use fail2ban, but only to block hack attempts... I don't care much > about someone finding out who the valid recipients are, I'm much more > concerned with someone trying to crack a password... Sure! But, once we have fail2ban in place, and watching over the logs, it cost nothing to stop someone running a list trying to deliver some crud. I compare this to the SSH attacks: nowadays is not safe to have passwords for SSH authentication, but that does not preclude cutting access of list attackers with the likes of fail2ban so they do not lock resources like TCP sockets or CPU cycles, or generate too much "noise" in the logs. > That's what I meant - add an after-queue filter and TAG+Deliver it. Use > sieve to deliver it to a Spam folder if desired. Agreed. Deciding on content should be on the hands of users, but, please, do not start a flame over this. It will depart from the OP question. - -- Victoriano Giralt Systems Manager Central ICT Services University of Malaga SPAIN -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFMINCWV6+mDjj1PTgRAy8ZAJ4iV4chx6byB5BUd8ieho/yIBTLPACcDuu6 8YZzJL71nzV1A1WfFmlCaGE= =kTnF -----END PGP SIGNATURE-----
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: What are the { curly } brackets for in main.cf? Next: Postfix forward emails |