[Mimedefang] dictionary attacks looking for a valid user

Kelsey Cummings kgc at corp.sonic.net
Thu Dec 15 18:02:35 EST 2005


On Thu, Dec 15, 2005 at 10:49:20PM +0100, Jan Pieter Cornet wrote:
> An easier solution might be to have a process tail(1) your logfile and
> take action on the information there. I think I've even seen something
> like that: more than x invalid recipients, and you're firewalled away.

This works quite well for us.  We have some stuff that tallies good/bad
recipients over a period and if it crosses the threshold the remote host
gets null routed for something like 10 minutes.  We also trigger the null
route on a few other errors indictive of a spam bot (or really broken SMTP
server.)

Under heavy rumplestiltskin attacks I've had over 5k IPs null routed on
each of my MX servers.  Usually runs around 30-50.

-- 
Kelsey Cummings - kgc at corp.sonic.net      sonic.net, inc.
System Architect                          2260 Apollo Way
707.522.1000                              Santa Rosa, CA 95407


More information about the MIMEDefang mailing list