|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New mail blocks result of Ralsky's latest attacks?
Bob German writes on 10/10/2003 8:29 PM: A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them.Set up header checks in sendmail / postfix to block all mail with Received: headers showing Ralsky IPs. PCRE header checks in postfix would be like - /^Received:.*(\[|\(|\s)211\.158\.[3456789]\d\.\d/ REJECT Ralsky from cqnet.com.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.70\.[89]\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.70\.1[01]\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.70\.1[345]\d\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)219\.153\.1[45]\d\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.10\.57\.\d/ REJECT Ralsky from cncgroup-hl. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 srs (yes, this is a rather expensive set of checks) -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
|