I wonder how people on the list deal with joe job attacks?
Right now I accept all incoming messages which are addressed to
valid recipients on the domains I host *AND* all incoming bounces.
Accepting bounces blindly means that I wake up to 3000 forced
bounce messages at least once every three weeks. Right now I
"solve" this problem by filing all bounce messages into a dedicated
bounce folder, via procmail.
I've considered just DENYing bounces after a threshold; if more
than X bounces for a given sender have been received in an hour
just rejecting them. That seems safe on the basis that if I typo
an address it would only trigger one bounce from my sender address
and that would be beneath the threshold.
But at the same time that seems like a hack that is prone to failure,
so I'd love to hear more useful suggestions. (I guess the ultimate
solution is to sign outgoing messages via one of the anti-bounce
protocols - but I'm a little reluctant to go down that path due to
the number of machines I'd need to update and the suspicion that
I'd miss one or two.)
FWIW the pattern seems to be addresses matching:
[a-za-z]+[0-...@example.com
To date I've never received a faked sender address which didn't end
in a digit. And for each incoming attack I average between 500 and
5000 bounces typically addressed to less than ten fake addresses.
(Which is why I think a simple count/period approach would be a
useful countermeasure.)
Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/
