Dictionary Attack Help?

G wrote:
: Heidi wrote:
:: I received this from my host today:
::
:: "The account ********.com had to be null routed today due to a very
:: severe dictionary attack launched against the site (an e-mail based
:: Denial of Service Attack).
::
:: We can attempt to enable the account again in 24 hours if you
:: like...I do need to let you know though that if this happens again we
:: will have to ask for the site to be removed."
::
:: Any thoughts on how I can prevent this?
::
:: Heidi
:
: You're on Beachcomber right?
: They should have this prevention installed server wide.
: http://www.configserver.com/free/eximdeny.html
: Also make sure:
: http://www.configserver.com/free/fail.html

Yes the site in question is on beachcomber... I thought they should have it
taken care of but I guess they don't.

I will check those links, thanks. I am also waiting for tech support chat to
be back so I can talk to someone. =)

Heidi
 >> Stay informed about: Dictionary Attack Help? 

Heidi wrote:
> G wrote:
>> Heidi wrote:
>>> I received this from my host today:
>>>
>>> "The account ********.com had to be null routed today due to a very
>>> severe dictionary attack launched against the site (an e-mail based
>>> Denial of Service Attack).
>>>
>>> We can attempt to enable the account again in 24 hours if you
>>> like...I do need to let you know though that if this happens again
>>> we will have to ask for the site to be removed."
>>>
>>> Any thoughts on how I can prevent this?
>>>
>>> Heidi
>>
>> You're on Beachcomber right?
>> They should have this prevention installed server wide.
>> http://www.configserver.com/free/eximdeny.html
>> Also make sure:
>> http://www.configserver.com/free/fail.html
>
> Yes the site in question is on beachcomber... I thought they should
> have it taken care of but I guess they don't.
>
> I will check those links, thanks. I am also waiting for tech support
> chat to be back so I can talk to someone. =)
>
> Heidi

If you can get into your cpanel, login and make sure your default email is
set to :fail:
 >> Stay informed about: Dictionary Attack Help? 

So far a few of the domains I checked have :fail: No Such User Here for the
default.
Shouldn't that have stopped a dictionary attack from doing any real harm?

The site in question should have also had that although I can't look just
now as it is offline
by the host.

Heidi
 >> Stay informed about: Dictionary Attack Help? 

G wrote:
: If you can get into your cpanel, login and make sure your default
: email is set to :fail:

I can't get into that one but my other hosted domains are.

All of the other domains I host have ":fail: No Such User Here" for the
default. about 30 in all.

Should I change it to just :fail: ?


Heidi
 >> Stay informed about: Dictionary Attack Help? 

Beauregard T. Shagnasty wrote:
> Heidi wrote:
>
>> Should I change it to just :fail: ?
>
> How about: :blackhole:
>
> This way you don't send an email back to the victim's forged address
> the spammer used, like you do with ":fail: No Such User Here"

huh?

There are sound technical reasons that you should only use :fail: and not
:blackhole: on a cPanel server running exim. We have conducted quite
extensive testing to establish this configuration is best and outline the
reasons here.
In general the two different settings both discard email not destined for a
POP3 account, an alias or a catchall alias. However, ever since cPanel
included the verify = recipient code in the standard cPanel ACL section for
exim, the way email is discarded differs with the two methods quite starkly:

Using :blackhole: email is accepted and received into the server in its
entirety. It is then processed through exim and only on delivery is it
written to the null device (/dev/null) and silently ignored.
This wastes server bandwidth as the email data, or body, of the email is
accepted into the server
This wastes server resources (CPU, memory and disk I/O) as the email is
fully processed by exim before being finally written to /dev/null
Because the blackholed email is still processed through the whole of exim
before it is finally deleted, if any of the usual checks and routing that
any email goes through fails, such email can be placed in the exim mail
queue for later reprocessing. This can lead to tens of thousands of
blackholed emails accumulating in the exim mail queue which in turn can
cause a range of serious server performance and resource problems and will
affect the normal and timely delivery of email
This actually breaks the SMTP RFC's because you're not notifying the sending
SMTP server that the email is undelivered, which is a requirement
Causes emails that will never be delivered onto the exim mail queue because
checks such as sender verification are still carried out when processing
such emails and if they cannot complete they will stay on the exim mail
queue and repeatedly reprocess the email until it is finally discarded
(usually 4+ days). This can cause very large mail queues full of spam which
is repeatedly processed causing severe performance degradation

Using :fail: the email is never accepted into the server. During the initial
SMTP negotiation when the senders SMTP server connects to your SMTP server,
the sending SMTP server issues a RCPT command notifying your server which
email address the email to follow is intended for. Your server then checks
whether the recipient email actually exists on your server (a POP3 account,
an alias or a catchall alias) and if it does not, it issues an SMTP DENY
which terminates the attempt to deliver the email.
This saves bandwidth as the email data is never received into your server
This saves server resources as the email never has to be processed
This complies with the SMTP RFC's because the sending SMTP server receives
the DENY command
Your server does not send a bounce message (just the DENY command)
Your server does not send anything to the sender of the email (i.e. the
address in the From: line)
The sending SMTP server is responsible for notifying the original sender
 >> Stay informed about: Dictionary Attack Help? 

G wrote:
> Beauregard T. Shagnasty wrote:
>> Heidi wrote:
>>
>>> Should I change it to just :fail: ?
>> How about: :blackhole:
>>
>> This way you don't send an email back to the victim's forged address
>> the spammer used, like you do with ":fail: No Such User Here"
>
> huh?
>
> There are sound technical reasons that you should only use :fail: and not
> :blackhole: on a cPanel server running exim. We have conducted quite
> extensive testing to establish this configuration is best and outline the
> reasons here.
> In general the two different settings both discard email not destined for a
> POP3 account, an alias or a catchall alias. However, ever since cPanel
> included the verify = recipient code in the standard cPanel ACL section for
> exim, the way email is discarded differs with the two methods quite starkly:
>
> Using :blackhole: email is accepted and received into the server in its
> entirety. It is then processed through exim and only on delivery is it
> written to the null device (/dev/null) and silently ignored.
> This wastes server bandwidth as the email data, or body, of the email is
> accepted into the server
> This wastes server resources (CPU, memory and disk I/O) as the email is
> fully processed by exim before being finally written to /dev/null
> Because the blackholed email is still processed through the whole of exim
> before it is finally deleted, if any of the usual checks and routing that
> any email goes through fails, such email can be placed in the exim mail
> queue for later reprocessing. This can lead to tens of thousands of
> blackholed emails accumulating in the exim mail queue which in turn can
> cause a range of serious server performance and resource problems and will
> affect the normal and timely delivery of email
> This actually breaks the SMTP RFC's because you're not notifying the sending
> SMTP server that the email is undelivered, which is a requirement
> Causes emails that will never be delivered onto the exim mail queue because
> checks such as sender verification are still carried out when processing
> such emails and if they cannot complete they will stay on the exim mail
> queue and repeatedly reprocess the email until it is finally discarded
> (usually 4+ days). This can cause very large mail queues full of spam which
> is repeatedly processed causing severe performance degradation
>
> Using :fail: the email is never accepted into the server. During the initial
> SMTP negotiation when the senders SMTP server connects to your SMTP server,
> the sending SMTP server issues a RCPT command notifying your server which
> email address the email to follow is intended for. Your server then checks
> whether the recipient email actually exists on your server (a POP3 account,
> an alias or a catchall alias) and if it does not, it issues an SMTP DENY
> which terminates the attempt to deliver the email.
> This saves bandwidth as the email data is never received into your server
> This saves server resources as the email never has to be processed
> This complies with the SMTP RFC's because the sending SMTP server receives
> the DENY command
> Your server does not send a bounce message (just the DENY command)
> Your server does not send anything to the sender of the email (i.e. the
> address in the From: line)
> The sending SMTP server is responsible for notifying the original sender
>
>
>

Horse hockey.

Those RFC's were written before spam became the problem it is today.
Spammers use those bounces to remove invalid emails from their lists.

A good ISP will blackhole the messages so the spammer has no idea if the
message got through or not.

It's time to update the RFCs.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex.DeleteThis@attglobal.net
==================
 >> Stay informed about: Dictionary Attack Help? 

Heidi wrote:
> So far a few of the domains I checked have :fail: No Such User Here for the
> default.
> Shouldn't that have stopped a dictionary attack from doing any real harm?
>
> The site in question should have also had that although I can't look just
> now as it is offline
> by the host.
>
> Heidi
>
>
>

The problem with :fail is the spammer knows the message wasn't
delivered. Those which aren't bounced are by default good email
addresses. That's part of the reason for a dictionary attack.

With :blackhole he has no idea whether the address is good or not.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex DeleteThis @attglobal.net
==================
 >> Stay informed about: Dictionary Attack Help? 

Beauregard T. Shagnasty wrote:
> Jerry Stuckle wrote:
>
>> G wrote:
>>> Beauregard T. Shagnasty wrote:
>>>> Heidi wrote:
>>>>> Should I change it to just :fail: ?
>>>> How about: :blackhole:
>>>>
>>>> This way you don't send an email back to the victim's forged
>>>> address the spammer used, like you do with ":fail: No Such User
>>>> Here"
>>> huh?
>>>
>>> There are sound technical reasons that you should only use :fail:
>>> and not :blackhole:
> <snip essay>
>
>> Horse hockey.
>>
>> Those RFC's were written before spam became the problem it is today.
>> Spammers use those bounces to remove invalid emails from their lists.
>
> When did spammers start removing emails from their lists? And wouldn't
> the victim whose address was used in the forged FROM field get any
> bounces? Spammers certainly never see them.
>

From what I understand, quite a few of them do. It helps keep the
number of messages they send down and can get more messages out to good
addresses before they get booted by their hosting company.

Not all spammers use compromised computers!

>> A good ISP will blackhole the messages so the spammer has no idea if
>> the message got through or not.
>>
>> It's time to update the RFCs.
>
> So which of you is the expert?
>

No expert, but I read a lot of the IT newsletters. And they've talked a
lot about not bouncing bad emails for this very reason.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex.RemoveThis@attglobal.net
==================
 >> Stay informed about: Dictionary Attack Help? 

Jerry Stuckle wrote:
> Beauregard T. Shagnasty wrote:
>
>> Jerry Stuckle wrote:
>>
>>> G wrote:
>>>
>>>> Beauregard T. Shagnasty wrote:
>>>>
>>>>> Heidi wrote:
>>>>>
>>>>>> Should I change it to just :fail: ?
>>>>>
>>>>> How about: :blackhole:
>>>>> This way you don't send an email back to the victim's forged
>>>>> address the spammer used, like you do with ":fail: No Such User
>>>>> Here"
>>>>
>>>> huh?
>>>> There are sound technical reasons that you should only use :fail:
>>>> and not :blackhole:
>>
>> <snip essay>
>>
>>> Horse hockey.
>>> Those RFC's were written before spam became the problem it is today.
>>> Spammers use those bounces to remove invalid emails from their lists.
>>
>>
>> When did spammers start removing emails from their lists? And wouldn't
>> the victim whose address was used in the forged FROM field get any
>> bounces? Spammers certainly never see them.
>>
>
> From what I understand, quite a few of them do.

You might feel differently about this if you had an inbox full of
bounces from forged headers. I've got a filter for the occaisional deluge.

Most of those go somewhere. And probably most of the unfortunate
recipients are ill prepared.

Frankly I wish ISPs would do something about their mail policies. From
all the bandwidth it eats you'd think they'd have an incentive.

Jeff


It helps keep the
> number of messages they send down and can get more messages out to good
> addresses before they get booted by their hosting company.
>
> Not all spammers use compromised computers!
>
>>> A good ISP will blackhole the messages so the spammer has no idea if
>>> the message got through or not.
>>> It's time to update the RFCs.
>>
>>
>> So which of you is the expert?
>>
>
> No expert, but I read a lot of the IT newsletters. And they've talked a
> lot about not bouncing bad emails for this very reason.
>
 >> Stay informed about: Dictionary Attack Help? 

Jeff wrote:
> Jerry Stuckle wrote:
>> Beauregard T. Shagnasty wrote:
>>
>>> Jerry Stuckle wrote:
>>>
>>>> G wrote:
>>>>
>>>>> Beauregard T. Shagnasty wrote:
>>>>>
>>>>>> Heidi wrote:
>>>>>>
>>>>>>> Should I change it to just :fail: ?
>>>>>>
>>>>>> How about: :blackhole:
>>>>>> This way you don't send an email back to the victim's forged
>>>>>> address the spammer used, like you do with ":fail: No Such User
>>>>>> Here"
>>>>>
>>>>> huh?
>>>>> There are sound technical reasons that you should only use :fail:
>>>>> and not :blackhole:
>>>
>>> <snip essay>
>>>
>>>> Horse hockey.
>>>> Those RFC's were written before spam became the problem it is today.
>>>> Spammers use those bounces to remove invalid emails from their lists.
>>>
>>>
>>> When did spammers start removing emails from their lists? And wouldn't
>>> the victim whose address was used in the forged FROM field get any
>>> bounces? Spammers certainly never see them.
>>>
>>
>> From what I understand, quite a few of them do.
>
> You might feel differently about this if you had an inbox full of
> bounces from forged headers. I've got a filter for the occaisional deluge.
>

Why would I? I don't bounce bad addresses. They go in the bit bucket
(or actually the "packet bucket")

> Most of those go somewhere. And probably most of the unfortunate
> recipients are ill prepared.
>
> Frankly I wish ISPs would do something about their mail policies. From
> all the bandwidth it eats you'd think they'd have an incentive.
>
> Jeff
>
>
> It helps keep the
>> number of messages they send down and can get more messages out to
>> good addresses before they get booted by their hosting company.
>>
>> Not all spammers use compromised computers!
>>
>>>> A good ISP will blackhole the messages so the spammer has no idea if
>>>> the message got through or not.
>>>> It's time to update the RFCs.
>>>
>>>
>>> So which of you is the expert?
>>>
>>
>> No expert, but I read a lot of the IT newsletters. And they've talked
>> a lot about not bouncing bad emails for this very reason.
>>
>


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex.RemoveThis@attglobal.net
==================
 >> Stay informed about: Dictionary Attack Help? 

On 2007-10-26, Heidi <blackcat2.TakeThisOut@gmail.com> wrote:

>:: Any thoughts on how I can prevent this?
>::
>:: Heidi
>:
>: You're on Beachcomber right?
>: They should have this prevention installed server wide.
>: http://www.configserver.com/free/eximdeny.html
>: Also make sure:
>: http://www.configserver.com/free/fail.html
>
> Yes the site in question is on beachcomber... I thought they should have it
> taken care of but I guess they don't.

That's something the host needs to take care of instead of threatening
its customers. Buncha losers, if you ask me.

--
Steve Sobol, Victorville, CA PGP:0xE3AE35ED www.SteveSobol.com

SoCal Fire news @the L.A. Times: http://latimesblogs.latimes.com/breakingnews/
Local wildfire coverage, KFMB-TV San Diego: http://cbs8.com/
 >> Stay informed about: Dictionary Attack Help? 

On 2007-10-27, Beauregard T. Shagnasty <a.nony.mous.TakeThisOut@example.invalid> wrote:
[...]
> When did spammers start removing emails from their lists?

There is/was an anti-spam approach that consisted of refusing (whether
it was a DENY or a bounce I don't know) _all_ emails the first time
around. Apparently the spambots don't bother to resend, but proper
email servers do. Once it has been resent then you whitelist it.
Something like that anyway.

Spammers probably do try to refine their lists, after all they've got
finite resources too.
 >> Stay informed about: Dictionary Attack Help? 

Steve Sobol <sjsobol.RemoveThis@JustThe.net> wrote in message:
slrnfi54c1.gri.sjsobol.RemoveThis@amethyst.justthe.net,

> On 2007-10-26, Heidi <blackcat2.RemoveThis@gmail.com> wrote:
>
>>>> Any thoughts on how I can prevent this?
>>>>
>>>> Heidi
>>>
>>> You're on Beachcomber right?
>>> They should have this prevention installed server wide.
>>> http://www.configserver.com/free/eximdeny.html
>>> Also make sure:
>>> http://www.configserver.com/free/fail.html
>>
>> Yes the site in question is on beachcomber... I thought they should
>> have it taken care of but I guess they don't.
>
> That's something the host needs to take care of instead of threatening
> its customers. Buncha losers, if you ask me.

I agree. That's a terrible policy. It's punishes the victim without even
giving any instructions for what to do.

--
Red
 >> Stay informed about: Dictionary Attack Help?