[Mimedefang] dictionary attacks looking for a valid user

Kelson kelson at speed.net
Thu Dec 15 16:53:13 EST 2005


Alex Moore wrote:
> How can I setup a rule in MIMEDefang to define those transactions?  Say
> when a smtp server tries 10 times within a short time period and is sent
> a 550 code each time. I think that it would appropriate to have MD just
> blacklist that address. Is that possible?  I want to ignore them
> completely after this event has occurred.

Well, this isn't MIMEDefang, but we've had good luck with a variation on 
the rumplekiller script (some people refer to dictionary attacks as 
"Rumplestiltskin attacks") here:
http://bignosebird.com/notebook/rumplekill.shtml

The script runs from a cron job and checks the mail logs for excessive 
"User unknown" hits from an IP address.  The original version uses IP 
routing commands to ignore all incoming connections, but it's easy 
enough to adapt it to other actions (we have it add the IP to our local 
blacklist, for instance).

You might also look into Sendmail's BAD_RCPT_THROTTLE feature.  It 
doesn't block them, but it'll slow them down a bit.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>


More information about the MIMEDefang mailing list