[Mimedefang] dictionary attacks looking for a valid user

David F. Skoll dfs at roaringpenguin.com
Thu Dec 15 16:53:13 EST 2005


Jan Pieter Cornet wrote:

> It's tricky. I haven't done this yet but I'm sortof planning to. One
> possibility is to make sure all valid adresses are in virtusertable,
> and all invalid adresses map to some magic token that sendmail believes
> is valid, but really isn't. You could catch the magic token in
> mimedefang and always return a "user unknown" error, and at the
> same time mark that this happened on this connection...

Unfortunately, MIMEDefang only sees exactly what was in the
RCPT TO: command.  It doesn't know the results of virtusertable
changes.

(Though it occurs to me that it can see the mailer, so if you
map invalid addresses to something magical in virtusertable, and
have that magical thing select the "error" mailer, then MIMEDefang
might see it... have to test.)

> An easier solution might be to have a process tail(1) your logfile and
> take action on the information there. I think I've even seen something
> like that: more than x invalid recipients, and you're firewalled away.

That's much easier.  I have a script I run for a similar purpose:  It
firewalls off anyone who attempts to log in via SSH with an invalid
password.  There are lots of SSH brute-forcers around.

Regards,

David.


More information about the MIMEDefang mailing list