A bit OT: Cut off address probes?

Steve Thomas lists at STHOMAS.NET
Tue Aug 5 00:28:20 IST 2003


On Mon, Aug 04, 2003 at 06:08:28PM -0500, Furnish, Trever G is rumored to have said:
>
> Is there a way to configure sendmail (or whatever) such that "address
> probes" are less effective and intrusive?  I could imagine how the process
> ...
> By address probe, I mean connections that either:
>         1. Ask the receiving mta to accept a message for one invalid address
> after another despite repeated negative responses from the receiving mta.
> Something that amounts to "Is bob valid?" ... "no"  ... "Well, what about
> tom?"  ... "no"  ... "Frank?" ... etc.

In your sendmail.mc, put:

define(`confBAD_RCPT_THROTTLE',`5')

Replace the 5 with the number of bad RCPT TOs you'd like to start throttling at. For instance, in my setup, it'll start throttling the connection if 5 invalid recipients are specified in the same SMTP session.

This works by delaying one second before issuing the unknown user response. I wasn't happy with that, as the spamware just kept banging away at it anyway, so I dug around in the source and upped the delay to 15 seconds <g>. The dictionary attacks have all but stopped now. I used to get thousands of "unknown user" lines in my log each day - now I have about 10-15. :)


--
"Reality is merely an illusion, albeit a very persistent one."
- Albert Einstein (1879-1955)



More information about the MailScanner mailing list