[Mimedefang] Blocking Dictionary Attacks

David F. Skoll dfs at roaringpenguin.com
Tue Jun 9 14:04:22 EDT 2009

Les Mikesell wrote:

> Spammers are a lot smarter than that these days.  If you watch your logs
> during a dictionary attack you are likely to see the messages come in
> from dozens of different IP addresses that are obviously coordinating
> the address space and timing so you don't see a big number of addresses
> come in from any single source, or on any single message, or fast enough
> to overwhelm a reasonable server.

This is true.  Nevertheless, we implement this policy:  If a single relay
sends to 4 or more invalid recipients in a 15-minute time window, we
firewall it off for an hour.  Our ban list at any given time contains
between 3 and 50 IP addresses.



More information about the MIMEDefang mailing list