[Mimedefang] dictionary attacks looking for a valid user
skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Fri Dec 16 03:33:13 EST 2005
On Thu, 15 Dec 2005, David F. Skoll wrote:
> Jan Pieter Cornet wrote:
>> An easier solution might be to have a process tail(1) your logfile and
>> take action on the information there. I think I've even seen something
>> like that: more than x invalid recipients, and you're firewalled away.
> That's much easier. I have a script I run for a similar purpose: It
> firewalls off anyone who attempts to log in via SSH with an invalid
> password. There are lots of SSH brute-forcers around.
After reading these two paragraphes some worrying struck me:
In opposite to SSH connections you cannot assume that the attacker sits on
"the other side" of a SMTP communication. Maybe the server just relays
the mail or is an huge mail hoster (say, hotmail, gmail, aol), you cannot
firewall them off, just because one Black Sheep is abusing the service?!
Will you really try to differ between home/zombie senders and huge relay
systems, esp. because you do not have no headers to take into account?
Actually, there was a patch for sendmail posted to comp.mail.sendmail for
a feature "drop connection if number of bad recipients exceeds n".
More information about the MIMEDefang