[prev in list] [next in list] [prev in thread] [next in thread]
List: dshield
Subject: Re: [Dshield] SASL Hacks & Swatch Alternative
From: David Cary Hart <DavidHart () TQMcube ! com>
Date: 2005-03-03 19:16:36
Message-ID: 1109877396.8331.13.camel () dch ! TQMcube ! com
[Download RAW message or body]
On Thu, 2005-03-03 at 13:57 +0100, Tony Earnshaw wrote:
> David Cary Hart:
>
> > We are continuing to get attempts to relay mail by hacking at SASL
> > authentication. The problem is solved with strong pwds and swatch watching
> > maillog for failed attempts and then executing a script to immediately add a
> > tarpit rule to IPTables.
> >
> > That said, swatch is a bit messy and, possibly, a tad unstable. I've
> > googled, freshmeated and sourceforged to death without success. Any
> > suggestions? I need a log watcher that can execute a script based upon pcre in
> > real time.
>
> I don't suppose you've changed your MTA from Postfix ;)
>
Nope.
> Can you track down the offending IPs to cidr ranges?
>
Sure. In fact they are already blocked (we block the entire PRC, Korea
and Taiwan which is where these are coming from). However, the only way
to eliminate the SASL attempt is through IPTables.
Swatch is now doing it just fine (it has proven to be more stable than I
thought). Now they go to TARPIT on the first attempt.
--
Total Quality Management - A Commitment to Excellence
Fight Spam: http://www.tqmcube.com/rbldnsd.htm
Daily Updates: rsync -t \
tqmcube.com::spamlists/[README.htm][clients][dynamic][relays][asiaspam]
http://www.tqmcube.com/spam_trap.htm
-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
http://www.sans.org/orlando05
_______________________________________________
send all posts to list@lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic