[Mimedefang] dictionary attacks looking for a valid user

Steffen Kaiser skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Fri Dec 16 03:33:13 EST 2005

On Thu, 15 Dec 2005, David F. Skoll wrote:

> Jan Pieter Cornet wrote:
>> An easier solution might be to have a process tail(1) your logfile and
>> take action on the information there. I think I've even seen something
>> like that: more than x invalid recipients, and you're firewalled away.
> That's much easier.  I have a script I run for a similar purpose:  It
> firewalls off anyone who attempts to log in via SSH with an invalid
> password.  There are lots of SSH brute-forcers around.

After reading these two paragraphes some worrying struck me:

In opposite to SSH connections you cannot assume that the attacker sits on 
"the other side" of a SMTP communication. Maybe the server just relays 
the mail or is an huge mail hoster (say, hotmail, gmail, aol), you cannot 
firewall them off, just because one Black Sheep is abusing the service?!
Will you really try to differ between home/zombie senders and huge relay 
systems, esp. because you do not have no headers to take into account?

Actually, there was a patch for sendmail posted to comp.mail.sendmail for 
a feature "drop connection if number of bad recipients exceeds n". 


Steffen Kaiser

More information about the MIMEDefang mailing list