RE: rumplestiltskin email attacks...

["Kenneth Goodwin" <kgoodwin datamarktech com>]

>  From: redhat-list-admin redhat com
>  [mailto:redhat-list-admin redhat com]On Behalf Of Bill Dossett
>  Sent: Thursday, May 01, 2003 12:13 PM
>  Hi,
>
>  I've been getting rumplestiltskin attack
>  for ages now and kinda sick of it... specially
>  when I'm having other mail server problems,
>  not really too keen on this.  Just wondered
>  if anyone and found an effective way of stopping
>  it... using redhat8 and sendmail and procmail...
>  rumplestiltkin attack basically tries to mail
>  to everyone they can think of at your domain.com...
>  and they either get a user unknown or if they don't
>  the address is valid and gets sold onto lists.
>  I found a perl script that attempts to stop it
>  by putting a host route from the sending host to
>  an ip address with no machine on it... and this
>  works, but the attackers seem to have moved on
>  and by the end of the day yesterday, I had colleted
>  over 800 ip addresses that they were doing it from...
>  sheesh, there must be more compromised computers
>  out there than anyone really knows... or open relays...
>  but anyway, does anyone know of any sendmail, or procmail
>  magic that I could use to stop this?  It has to be
>  _the_ most annoying use of bandwidth that I can think
>  of.
>
>  Cheers
>  Bill
>

I run the latest release of sendmail. It deals with this type of attack
by detecting it via the "too many Unknowns users at this domain" constraint.
You can set one of the config parameters to
control "How many emails addresses are permitted per mailing list"
Check the sendmail documentation.
It will also slow down the connection from the source ip if it detects
this kind of attack.

The thing I am working on now is a scanner for the maillog file that will
pick up my blacklist entries and other entries such as these, ID the source
IP's
and CREATE access file entries and Cisco ACL's for me automatically.

yes and it seems like  you block 400 ip addresses and another 400 magically
replace them...you can never win. I dont know if they can use IP address
spoofing for these type of connections since they need to complete the
connection
to send their emails and do address probes. A DOS attack can just spoof the
return Ip
and hose up your sendmail server. I am assuming therefore they are all real
compromised servers and I counted over 4,000 at this point. The blacklists
stop most of them. The cisco acl's will lighten the load.

I am setting up a Cisco Border Router and it's ACL's which will then block
all connections
from these IP addresses. This means that eventually my firewall and sendmail
servers
will have hopefully less to contend with overtime.