Mail: Prevent Directory Harvest Attack?

dave · Feb 12, 2009

I am about to set up a new live mail server (going to use postfix).

Are there any good ports out there for preventing or limiting directory harvest attacks?

Any suggestions or input welcome.

Thanks.

vivek · Feb 13, 2009

Postfix has various config options like as follows

a) Limit connection per IP, this will drop all sort of things

b) Do not talk to clients without valid DNS FQDN i.e. full dns name. Most hacked / cracked Windows boxes do not have valid DNS names.

c) Enable postfix SPF record to avoid from:you@yourdomain.com to:you@yourdomain.com spam

d) Enable and install mailscanner anti mail gateway to protect from various attacks.

e) Create SPF record for your own domain.

f) Configure PF to drop all connection from Windows 9x/XP etc to port 25. They are not server oses and do not have mail server.

Please note that there is no 100% protection but all of the above restricts spammers activities

hydra · Feb 13, 2009

Vivek is right, be sure to utilize as much checks as possible with postfix.

Also check out out:
http://www.postfix.org/postconf.5.html#disable_vrfy_command

I also:
- use blacklists (RBL - spamhaus, spamcop)
- block clients that don't introduce with resolvable FQDN HELO (this brings some problems...)
- block clients that don't have their DNS properly set up (IP -> DNS -> IP should provide the same IP)

cajunman4life · Feb 13, 2009

vivek said:
f) Configure PF to drop all connection from Windows 9x/XP etc to port 25. They are not server oses and do not have mail server.

True, but what happens if you use the mail server for your network (for example, at a small business) with windows clients connecting to send outgoing mail. They will attempt to connect to your mailserver on port 25, and by your rule above be rejected by the firewall, causing nobody in your office to send outgoing mail!

A better solution in this instance would be to configure postfix to only allow sending mail from your network (for example, if all your client systems are on the 10.0.0.0/8 network, you can configure postfix to only allow outgoing mail from hosts on the 10.0.0.0/8 network)

dave · Feb 15, 2009

vivek said:
Postfix has various config options like as follows

a) Limit connection per IP, this will drop all sort of things

b) Do not talk to clients without valid DNS FQDN i.e. full dns name. Most hacked / cracked Windows boxes do not have valid DNS names.

c) Enable postfix SPF record to avoid from:you@yourdomain.com to:you@yourdomain.com spam

d) Enable and install mailscanner anti mail gateway to protect from various attacks.

e) Create SPF record for your own domain.

f) Configure PF to drop all connection from Windows 9x/XP etc to port 25. They are not server oses and do not have mail server.

Please note that there is no 100% protection but all of the above restricts spammers activities

Can you provide some examples? When you say "limit connection per ip" - do you mean via postfix conf, or firewall? Also: "Configure PF to drop all connection from Windows 9x/XP etc." How to? Thanks!

vivek · Feb 15, 2009

dave said:
Can you provide some examples? When you say "limit connection per ip" - do you mean via postfix conf, or firewall? Also: "Configure PF to drop all connection from Windows 9x/XP etc." How to? Thanks!

Set something as follows in postfix config file:

Code:

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

Add something as follows in pf.conf

Code:

block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} to any port smtp

Read pf, pf.os and postfix man pages for more inof.

hydra · Feb 16, 2009

Talking about limits, take a look also here:
http://www.postfix.com/TUNING_README.html
section "Measures against clients that make too many connections"

Mail: Prevent Directory Harvest Attack?

dave

vivek

hydra

cajunman4life

dave

vivek

hydra