Tuesday, June 01, 2004 5:20 PM
bradley
Mail server attacks - ensure you have a "strong" password on your admin account
Heads up SBSers --- from the www.incidents.org website
Mail server dictionary attacks
While not new, the number of reported dictionary attacks against mail servers is up. These attacks are characterized by spam being sent to random users at a particular domain. The amount of inbound mail may in itself cause some mail servers to die or slow down to a crawl. If the mail server sends bounce notices for unavailable accounts, they frequently are directed to invalid email addresses and causing another bounce in reply (which will end up in the postmaster's inbox if the mail server is configured correctly).
This issue has been discussed over the last few days at one of our mailing lists:http://lists.sans.org/pipermail/list/2004-May/031574.php .
There are a number of possible defenses against these attacks. Turning off "mailbox not available" notices may be one method, but it will also prevent such notices to valid e-mail senders who typed an e-mail address incorrectly.
Rate limiting traffic to mail servers on a per-IP basis is a simple solution for most firewalls.
If you are using software like spamassassin, you may want to consider delivering e-mail to its 'learn' feature for some of the most popular spam recipients.
Tom Liston, one of our ISC handlers, recorded the frequency of userids used in e-mail sent to an unused domain:http://isc.sans.org/presentations/spam_scan.txt
Remember that us SBSers have a wizard to rename our Administrator account!
So use strong passwords and rename that account!
Filed under: Security, Exchange
![[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.]](http://www.sbslinks.com/images/headertop.png "There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not!")