[Mimedefang] dictionary attacks looking for a valid user

[Jan Pieter Cornet]

On Thu, Dec 15, 2005 at 03:05:45PM -0600, Alex Moore wrote:
> A spammer tries many times to find a user with something like a
> dictionary attack or a list of commonly used user names.
> 
> How can I setup a rule in MIMEDefang to define those transactions?  Say
> when a smtp server tries 10 times within a short time period and is sent
> a 550 code each time. I think that it would appropriate to have MD just
> blacklist that address. Is that possible?  I want to ignore them
> completely after this event has occurred.

Difficult. Depending on your setup, your milter may or may not see the
invalid recipients. And if it does see it, it won't know it's an
invalid recipient...

> Ideas?

It's tricky. I haven't done this yet but I'm sortof planning to. One
possibility is to make sure all valid adresses are in virtusertable,
and all invalid adresses map to some magic token that sendmail believes
is valid, but really isn't. You could catch the magic token in
mimedefang and always return a "user unknown" error, and at the
same time mark that this happened on this connection...

An easier solution might be to have a process tail(1) your logfile and
take action on the information there. I think I've even seen something
like that: more than x invalid recipients, and you're firewalled away.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet