Can postfix tarpit?

29/03/2006, 20h12

I looked through the FAQ and googled, so if I'm missing the
documentation on how to do this, please let me know..

I'd like to implement either tarpitting or some method of blocking
spammers attempting dictionary attempts.

For example, just now:

Mar 29 12:05:37 www postfix/smtpd[19005]: NOQUEUE: reject: RCPT from
85-250-215-18.bb.netvision.net.il[85.250.215.18]: 550
<100proofnews@espphotography.com>: Recipient address rejected: User
unknown in local recipient table; from=<iusxuljh@hotmail.com>
to=<100proofnews@espphotography.com> proto=SMTP
helo=<85-250-215-18.bb.netvision.net.il>
Mar 29 12:05:41 www postfix/smtpd[19005]: NOQUEUE: reject: RCPT from
85-250-215-18.bb.netvision.net.il[85.250.215.18]: 550
<drhrxc@espphotography.com>: Recipient address rejected: User unknown
in local recipient table; from=<iusxuljh@hotmail.com>
to=<drhrxc@espphotography.com> proto=SMTP
helo=<85-250-215-18.bb.netvision.net.il>
Mar 29 12:05:44 www postfix/smtpd[19005]: NOQUEUE: reject: RCPT from
85-250-215-18.bb.netvision.net.il[85.250.215.18]: 550
<espnic@espphotography.com>: Recipient address rejected: User unknown
in local recipient table; from=<iusxuljh@hotmail.com>
to=<espnic@espphotography.com> proto=SMTP
helo=<85-250-215-18.bb.netvision.net.il>
Mar 29 12:05:53 www postfix/smtpd[19005]: NOQUEUE: reject: RCPT from
85-250-215-18.bb.netvision.net.il[85.250.215.18]: 550
<espphotography@espphotography.com>: Recipient address rejected: User
unknown in local recipient table; from=<iusxuljh@hotmail.com>
to=<espphotography@espphotography.com> proto=SMTP
helo=<85-250-215-18.bb.netvision.net.il>
Mar 29 12:05:56 www postfix/smtpd[19005]: NOQUEUE: reject: RCPT from
85-250-215-18.bb.netvision.net.il[85.250.215.18]: 550
<tory@espphotography.com>: Recipient address rejected: User unknown in
local recipient table; from=<iusxuljh@hotmail.com>
to=<tory@espphotography.com> proto=SMTP
helo=<85-250-215-18.bb.netvision.net.il>

I would have liked to block this guy at the second or maybe even third
attempt. Or perhaps just /dev/null all his traffic. Can postfix
automatically do something when this occurs?

Thanks.

Evan

30/03/2006, 10h11

Evan Platt wrote (in short):

> I'd like to implement either tarpitting or some method of blocking
> spammers attempting dictionary attempts.
> ....
> I would have liked to block this guy at the second or maybe even third
> attempt. Or perhaps just /dev/null all his traffic. Can postfix
> automatically do something when this occurs?

I'm not sure about postfix (but it probably could). But if it was a
problem I was experiencing I would be tempted to use iptables rate
limiting first.
(e.g. http://penguincares.no-ip.org:9090/mylinuxtips/?p=374)
I would prefer this approach to try to stop or at least slow down the
little bugger well before he got to postfix at all. Actually, maybe
I'd just block the whole ip for a couple of days to see if he goes away
:-).

Good luck!

30/03/2006, 10h47

Actually, just as another note, the -m recent iptables extension module
is pretty recent itself (in fact more recent than my own version of
iptables. However older versions of iptables still offer a bunch of
rate limiting tools which I have used on my small server. I've also
implemented simple scripts to ban certain ip addresses for 24 hours if
they try too many new connections - these scripts rely on LOG to send a
message to syslog and then the script sees how many attempts were made
in the last 6 minutes.

Still fundamentally I prefer to limit using iptables (provided you're
running Linux of course) rather than waste Postfix CPU cycles on these
turkeys.

Cheers,

30/03/2006, 15h51

Evan Platt wrote:
> I looked through the FAQ and googled, so if I'm missing the
> documentation on how to do this, please let me know..
>
> I'd like to implement either tarpitting or some method of blocking
> spammers attempting dictionary attempts.

Postfix doesn't come from the factory with tarpitting in the form of
exponential response delays for blocked sites.

The more recent versions of Postfix do have the "anvil" feature, to prevent
network denial of service attacks from repeated connections. The controls for
it are smtpd_client_recipient_rate_limit and smtpd_client_connection_rate_limit.
References: "man 8 anvil" "man 5 postconf"

Postfix was designed to use 3rd party plug-ins for policy features such as you
are wanting. One configuration hook is: check_policy_service
Reference: Policy servers/libraries at: http://www.postfix.org/addon.html
Note: The word "policy" in this case does not refer to Sender Policy
Framework (SPF).

--
Greg

29/03/2006, 20h12	#1
Evan Platt Messages: n/a Hébergeur:	Can postfix tarpit? I looked through the FAQ and googled, so if I'm missing the documentation on how to do this, please let me know.. I'd like to implement either tarpitting or some method of blocking spammers attempting dictionary attempts. For example, just now: Mar 29 12:05:37 www postfix/smtpd[19005]: NOQUEUE: reject: RCPT from 85-250-215-18.bb.netvision.net.il[85.250.215.18]: 550 <100proofnews@espphotography.com>: Recipient address rejected: User unknown in local recipient table; from=<iusxuljh@hotmail.com> to=<100proofnews@espphotography.com> proto=SMTP helo=<85-250-215-18.bb.netvision.net.il> Mar 29 12:05:41 www postfix/smtpd[19005]: NOQUEUE: reject: RCPT from 85-250-215-18.bb.netvision.net.il[85.250.215.18]: 550 <drhrxc@espphotography.com>: Recipient address rejected: User unknown in local recipient table; from=<iusxuljh@hotmail.com> to=<drhrxc@espphotography.com> proto=SMTP helo=<85-250-215-18.bb.netvision.net.il> Mar 29 12:05:44 www postfix/smtpd[19005]: NOQUEUE: reject: RCPT from 85-250-215-18.bb.netvision.net.il[85.250.215.18]: 550 <espnic@espphotography.com>: Recipient address rejected: User unknown in local recipient table; from=<iusxuljh@hotmail.com> to=<espnic@espphotography.com> proto=SMTP helo=<85-250-215-18.bb.netvision.net.il> Mar 29 12:05:53 www postfix/smtpd[19005]: NOQUEUE: reject: RCPT from 85-250-215-18.bb.netvision.net.il[85.250.215.18]: 550 <espphotography@espphotography.com>: Recipient address rejected: User unknown in local recipient table; from=<iusxuljh@hotmail.com> to=<espphotography@espphotography.com> proto=SMTP helo=<85-250-215-18.bb.netvision.net.il> Mar 29 12:05:56 www postfix/smtpd[19005]: NOQUEUE: reject: RCPT from 85-250-215-18.bb.netvision.net.il[85.250.215.18]: 550 <tory@espphotography.com>: Recipient address rejected: User unknown in local recipient table; from=<iusxuljh@hotmail.com> to=<tory@espphotography.com> proto=SMTP helo=<85-250-215-18.bb.netvision.net.il> I would have liked to block this guy at the second or maybe even third attempt. Or perhaps just /dev/null all his traffic. Can postfix automatically do something when this occurs? Thanks. Evan

30/03/2006, 10h11	#2
gregsmith@smithonline.id.au Messages: n/a Hébergeur:	Re: Can postfix tarpit? Evan Platt wrote (in short): > I'd like to implement either tarpitting or some method of blocking > spammers attempting dictionary attempts. > .... > I would have liked to block this guy at the second or maybe even third > attempt. Or perhaps just /dev/null all his traffic. Can postfix > automatically do something when this occurs? I'm not sure about postfix (but it probably could). But if it was a problem I was experiencing I would be tempted to use iptables rate limiting first. (e.g. http://penguincares.no-ip.org:9090/mylinuxtips/?p=374) I would prefer this approach to try to stop or at least slow down the little bugger well before he got to postfix at all. Actually, maybe I'd just block the whole ip for a couple of days to see if he goes away :-). Good luck!

30/03/2006, 10h47	#3
gregsmith@smithonline.id.au Messages: n/a Hébergeur:	Re: Can postfix tarpit? Actually, just as another note, the -m recent iptables extension module is pretty recent itself (in fact more recent than my own version of iptables. However older versions of iptables still offer a bunch of rate limiting tools which I have used on my small server. I've also implemented simple scripts to ban certain ip addresses for 24 hours if they try too many new connections - these scripts rely on LOG to send a message to syslog and then the script sees how many attempts were made in the last 6 minutes. Still fundamentally I prefer to limit using iptables (provided you're running Linux of course) rather than waste Postfix CPU cycles on these turkeys. Cheers,

30/03/2006, 15h51	#4
Greg Hackney Messages: n/a Hébergeur:	Re: Can postfix tarpit? Evan Platt wrote: > I looked through the FAQ and googled, so if I'm missing the > documentation on how to do this, please let me know.. > > I'd like to implement either tarpitting or some method of blocking > spammers attempting dictionary attempts. Postfix doesn't come from the factory with tarpitting in the form of exponential response delays for blocked sites. The more recent versions of Postfix do have the "anvil" feature, to prevent network denial of service attacks from repeated connections. The controls for it are smtpd_client_recipient_rate_limit and smtpd_client_connection_rate_limit. References: "man 8 anvil" "man 5 postconf" Postfix was designed to use 3rd party plug-ins for policy features such as you are wanting. One configuration hook is: check_policy_service Reference: Policy servers/libraries at: http://www.postfix.org/addon.html Note: The word "policy" in this case does not refer to Sender Policy Framework (SPF). -- Greg

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email