[Mimedefang] dictionary attacks looking for a valid user

David F. Skoll dfs at roaringpenguin.com
Fri Dec 16 11:01:05 EST 2005

Steffen Kaiser wrote:

> After reading these two paragraphes some worrying struck me:

> In opposite to SSH connections you cannot assume that the attacker sits
> on "the other side" of a SMTP communication. Maybe the server just
> relays the mail or is an huge mail hoster (say, hotmail, gmail, aol),
> you cannot firewall them off, just because one Black Sheep is abusing
> the service?!

I did a grep for the "Possible SMTP RCPT flood, throttling" log message
from Sendmail in one month's worth of mail logs.  Almost all were
from dial-up, DSL or cable-modem PC's.  There were maybe two or three that
looked like they might have been "real" SMTP servers, and there were none
from any major mail hosters.

So I don't think it's a problem in practice, especially if you only firewall
them off for 10-20 minutes at a time.



More information about the MIMEDefang mailing list