[Mimedefang] Blocking Dictionary Attacks
Paul.Murphy at argentadiscovery.com
Fri Jun 5 09:31:07 EDT 2009
I block this using some custom code in filter_recipient which keeps the ongoing good and bad recipient counts in a local file in the spool directory. If there are more than 2 bad recipients, and more bad recipients than good recipients, then I reject the whole message and firewall the offender. The determination of which recipients are good comes from a database table of all valid addresses for my domain, which is populated from LDAP and from a list of aliases and other special addresses.
The database overhead is relatively small, as my filter is extensively tied to database tables for logging, stats, blacklist checks, and so on. LDAP updates to the table are done 4 times daily, saving on a real-time SMTP query to any back-end server to see if the recipient is valid, or an LDAP lookup on the fly which can be slow, especially if you have to do secure LDAP.
Argenta Discovery Ltd, 8-9 Spire Green Centre, Harlow, Essex, CM19 5TR
Registered in England No. 3671653
More information about the MIMEDefang