[Mimedefang] dictionary attacks looking for a valid user
David F. Skoll
dfs at roaringpenguin.com
Fri Dec 16 11:01:05 EST 2005
Steffen Kaiser wrote:
> After reading these two paragraphes some worrying struck me:
> In opposite to SSH connections you cannot assume that the attacker sits
> on "the other side" of a SMTP communication. Maybe the server just
> relays the mail or is an huge mail hoster (say, hotmail, gmail, aol),
> you cannot firewall them off, just because one Black Sheep is abusing
> the service?!
I did a grep for the "Possible SMTP RCPT flood, throttling" log message
from Sendmail in one month's worth of mail logs. Almost all were
from dial-up, DSL or cable-modem PC's. There were maybe two or three that
looked like they might have been "real" SMTP servers, and there were none
from any major mail hosters.
So I don't think it's a problem in practice, especially if you only firewall
them off for 10-20 minutes at a time.
More information about the MIMEDefang