[Mimedefang] dictionary attacks looking for a valid user

Ben Kamen bkamen at benjammin.net
Thu Dec 15 17:48:03 EST 2005


Jan Pieter Cornet wrote:
> On Thu, Dec 15, 2005 at 03:05:45PM -0600, Alex Moore wrote:
> 
>>A spammer tries many times to find a user with something like a
>>dictionary attack or a list of commonly used user names.
>>
>>How can I setup a rule in MIMEDefang to define those transactions?  Say
>>when a smtp server tries 10 times within a short time period and is sent
>>a 550 code each time. I think that it would appropriate to have MD just
>>blacklist that address. Is that possible?  I want to ignore them
>>completely after this event has occurred.

Well, I do something like this:

If the server is listed at jamming a "user unknown" in the mail.log file, I have a tcl script that optionally
null-routes the server for some predetermined time.

Kinda fun, actually.

The script is in TCL and monitors mail.log as an event process.. so it 
runs all the time, is event driven (read: doesn't eat CPU), has a persistent data file 
(i.e., you null-route someone for a week - 2 days later your server needs a 
reboot, the entry goes back on the stack for 5 more days when the program is run again.)


 -Ben


More information about the MIMEDefang mailing list