New mail blocks result of Ralsky's latest attacks?
Suresh Ramasubramanian
suresh at outblaze.com
Fri Oct 10 15:17:51 UTC 2003
Bob German writes on 10/10/2003 8:29 PM:
> A colleague informed me this morning that Alan Ralsky is doing
> widespread bruteforce attacks on SMTP AUTH, and they are succeeding,
> mainly because it's quick, painless (for him), and servers and IDS
> signatures don't generally offer protection against them.
>
> Could this be why everyone's locking up their mail servers all of a sudden?
>
> Does anyone know of a way to stop them?
Set up header checks in sendmail / postfix to block all mail with
Received: headers showing Ralsky IPs. PCRE header checks in postfix
would be like -
/^Received:.*(\[|\(|\s)211\.158\.[3456789]\d\.\d/ REJECT Ralsky from
cqnet.com.cn. See:
http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.[89]\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.1[01]\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.1[345]\d\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)219\.153\.1[45]\d\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.10\.57\.\d/ REJECT Ralsky from
cncgroup-hl. See:
http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
srs (yes, this is a rather expensive set of checks)
--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations
More information about the NANOG
mailing list