[Mimedefang] Blocking Dictionary Attacks
David F. Skoll
dfs at roaringpenguin.com
Tue Jun 9 14:04:22 EDT 2009
Les Mikesell wrote:
> Spammers are a lot smarter than that these days. If you watch your logs
> during a dictionary attack you are likely to see the messages come in
> from dozens of different IP addresses that are obviously coordinating
> the address space and timing so you don't see a big number of addresses
> come in from any single source, or on any single message, or fast enough
> to overwhelm a reasonable server.
This is true. Nevertheless, we implement this policy: If a single relay
sends to 4 or more invalid recipients in a 15-minute time window, we
firewall it off for an hour. Our ban list at any given time contains
between 3 and 50 IP addresses.
More information about the MIMEDefang