[Mimedefang] dictionary attacks looking for a valid user

Paul Whittney pwhittney at net.arrivetech.com
Thu Dec 15 22:08:55 EST 2005

Little off the topic here..

On Thu, Dec 15, 2005 at 10:49:20PM +0100, Jan Pieter Cornet wrote:
> An easier solution might be to have a process tail(1) your logfile and
> take action on the information there. I think I've even seen something
> like that: more than x invalid recipients, and you're firewalled away.

I've been thinking about that, but it was more for a realtime iptables,
or realtime email monitoring for stats that doesn't involve "tail the
whole log", or "open log every 5 minutes". Perhaps this can be used here;
syslog to a pipe, open the pipe in a process as read/write (doesn't stop
the reading when logrotate and friends move the files, and restart syslogd,
following from the Unix Programming books by R.Stevens). I was going to 
thread a perl process to count lines that matched "filter_end" or "bad-helo"
and get rrdtool/mrtg to pull data from that process. The speed I'm going,
someone might be able to get this implemented before I look up embedding
perl ;=P.

Not sure if its useful or not...

Also, doesn't sendmail cope with rcpt/connection flooding? (Sorry, not got
to the rest of the thread).


Paul Whittney                                  ArriveTech, Inc.
Network Specialist / Systems Engineer         / |670 West 36th Street,
                                             /--|Erie, PA, 16508, USA
PWhittney [at] arrivetech.com (Main)        /   |www.arrivetech.com 
PWhittney [at] net.arrivetech.com (Aux)    /    |Tel: 814 868 3306

More information about the MIMEDefang mailing list