Problematic Dictionary email attack...

Today one of my customer's domains has been getting clobbered by a pretty good sized distributed dictionary email barrage. I've got the Dictionary Attack ACL for Exim installed, but it doesn't seem to be catching this one. Here's some interesting facts about this:

The emails are coming in at a max rate of 1-3 per second from a huge variety of hosts spread across the net, so likely these are zombies using whichever mail server they have set up for their default. They have slowed a bit lately though, so I think the attack is winding down.

The names to which emails are trying to be sent aren't really dictionary words, but instead random gibberish. Here's a sample of the last few seconds:
<zzcmtypev@xxxxx.com>
<eztxpwca@xxxxx.com>
<ptvyurbandjly@xxxxx.com>

The remote servers seem to be attempting a single email address per connection, so the $rcpt_fail_count doesn't seem to be increasing. Thus, the exim_deny.pl never gets called to add the offending IP to the deny file.

This isn't terribly urgent, since the account is set to :fail: such messages, but at its peak it was causing a couple sporadic SMTP timeouts. Any ideas on how to block against something like this? Here's the pertanent section from my exim config:

Code: 
  drop hosts = /etc/exim_deny
      !hosts = /etc/exim_deny_whitelist
      message = Connection denied after dictionary attack
      log_message = Connection denied from $sender_host_address after dictionary attack

  drop message = Appears to be a dictionary attack
      log_message = Dictionary attack (after $rcpt_fail_count failures)
      condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
      condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
      !verify = recipient

 

 

 

 

Top