[Mimedefang] dictionary attacks looking for a valid user
Kevin A. McGrail
kmcgrail at pccc.com
Fri Dec 16 10:55:17 EST 2005
> The script runs from a cron job and checks the mail logs for excessive
> "User unknown" hits from an IP address. The original version uses IP
> routing commands to ignore all incoming connections, but it's easy enough
> to adapt it to other actions (we have it add the IP to our local
> blacklist, for instance).
>
> You might also look into Sendmail's BAD_RCPT_THROTTLE feature. It doesn't
> block them, but it'll slow them down a bit.
I use a solution with the Bad Rcpt Throttle and a POP Before SMTP daemon
that works very well by monitoring the maillogs.
Essentially, it monitors the logs and modifies IPTables to block the sender.
We've been using it for WELL over a year now with only one user complaint
ever.
http://www.peregrinehw.com/downloads/sendmail/sendmail-8.12.X/untarred/contrib/poprelay-RCPT_Throttle/
Also, for my own personal setup since I use virtusertables as well, I have
set a very hard-coded check in filter_recipient like this:
if ($recip =~ /\@munged\.com>?$/i) {
if ($recip !~
/^<?(wellsfargo|sbc|paypal|aclu|amazon|congress|gd-algorithms|ign|register|classmates.com|dean|ecost|eff|eharmony|empeg|ice|publicknowledge.org|vtalum|yahoo)/i)
{
md_syslog('warning', "Rejecting $recip - Custom munged No Such User");
return ('REJECT', "No such user here");
}
}
It's not perfect but something you might be able to build on.
One of these days, I have sourceforge rights to merge my poprelayd back with
the master one but time is never on my side. However, it's a good thing to
have that is constantly scanning the maillogs and I've built lots of little
proprietary tweaks onto it.
Regards,
KAM
More information about the MIMEDefang
mailing list