[Mimedefang] dictionary attacks looking for a valid user
Kelson
kelson at speed.net
Thu Dec 15 16:53:13 EST 2005
Alex Moore wrote:
> How can I setup a rule in MIMEDefang to define those transactions? Say
> when a smtp server tries 10 times within a short time period and is sent
> a 550 code each time. I think that it would appropriate to have MD just
> blacklist that address. Is that possible? I want to ignore them
> completely after this event has occurred.
Well, this isn't MIMEDefang, but we've had good luck with a variation on
the rumplekiller script (some people refer to dictionary attacks as
"Rumplestiltskin attacks") here:
http://bignosebird.com/notebook/rumplekill.shtml
The script runs from a cron job and checks the mail logs for excessive
"User unknown" hits from an IP address. The original version uses IP
routing commands to ignore all incoming connections, but it's easy
enough to adapt it to other actions (we have it add the IP to our local
blacklist, for instance).
You might also look into Sendmail's BAD_RCPT_THROTTLE feature. It
doesn't block them, but it'll slow them down a bit.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list