[Mimedefang] dictionary attacks looking for a valid user

[Kevin A. McGrail]

> The script runs from a cron job and checks the mail logs for excessive 
> "User unknown" hits from an IP address.  The original version uses IP 
> routing commands to ignore all incoming connections, but it's easy enough 
> to adapt it to other actions (we have it add the IP to our local 
> blacklist, for instance).
>
> You might also look into Sendmail's BAD_RCPT_THROTTLE feature.  It doesn't 
> block them, but it'll slow them down a bit.

I use a solution with the Bad Rcpt Throttle and a POP Before SMTP daemon 
that works very well by monitoring the maillogs.

Essentially, it monitors the logs and modifies IPTables to block the sender. 
We've been using it for WELL over a year now with only one user complaint 
ever.

http://www.peregrinehw.com/downloads/sendmail/sendmail-8.12.X/untarred/contrib/poprelay-RCPT_Throttle/

Also, for my own personal setup since I use virtusertables as well, I have 
set a very hard-coded check in filter_recipient like this:

 if ($recip =~ /\@munged\.com>?$/i) {
    if ($recip !~ 
/^<?(wellsfargo|sbc|paypal|aclu|amazon|congress|gd-algorithms|ign|register|classmates.com|dean|ecost|eff|eharmony|empeg|ice|publicknowledge.org|vtalum|yahoo)/i) 
{
      md_syslog('warning', "Rejecting $recip - Custom munged No Such User");
      return ('REJECT', "No such user here");
    }
  }

It's not perfect but something you might be able to build on.

One of these days, I have sourceforge rights to merge my poprelayd back with 
the master one but time is never on my side.  However, it's a good thing to 
have that is constantly scanning the maillogs and I've built lots of little 
proprietary tweaks onto it.

Regards,
KAM