Bob German writes on 10/10/2003 8:29 PM:
A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them.
Could this be why everyone's locking up their mail servers all of a sudden?
Does anyone know of a way to stop them?
Set up header checks in sendmail / postfix to block all mail with Received: headers showing Ralsky IPs. PCRE header checks in postfix would be like - /^Received:.*(\[|\(|\s)211\.158\.[3456789]\d\.\d/ REJECT Ralsky from cqnet.com.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.70\.[89]\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.70\.1[01]\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.70\.1[345]\d\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)219\.153\.1[45]\d\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.10\.57\.\d/ REJECT Ralsky from cncgroup-hl. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 srs (yes, this is a rather expensive set of checks) -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations