[Mimedefang] dictionary attacks looking for a valid user
Kelsey Cummings
kgc at corp.sonic.net
Thu Dec 15 18:02:35 EST 2005
On Thu, Dec 15, 2005 at 10:49:20PM +0100, Jan Pieter Cornet wrote:
> An easier solution might be to have a process tail(1) your logfile and
> take action on the information there. I think I've even seen something
> like that: more than x invalid recipients, and you're firewalled away.
This works quite well for us. We have some stuff that tallies good/bad
recipients over a period and if it crosses the threshold the remote host
gets null routed for something like 10 minutes. We also trigger the null
route on a few other errors indictive of a spam bot (or really broken SMTP
server.)
Under heavy rumplestiltskin attacks I've had over 5k IPs null routed on
each of my MX servers. Usually runs around 30-50.
--
Kelsey Cummings - kgc at corp.sonic.net sonic.net, inc.
System Architect 2260 Apollo Way
707.522.1000 Santa Rosa, CA 95407
More information about the MIMEDefang
mailing list