mikea at MIKEA.ATH.CX
Fri Nov 7 15:13:30 GMT 2003
On Fri, Nov 07, 2003 at 10:06:57AM -0500, Denis Beauchemin wrote:
> We've had those compromised Windows also and it really put a high load
> (and big backlog) on our MS servers.
> I wrote a Perl script that watches my maillog every 5 minutes (root's
> crontab) and if there are more than 80% of incoming mail from one IP
> address it blocks it in ipchains/iptables, stops MS and sendmail,
> removes all undelivered mail containing that IP address from the spool
> directories, restarts MS (and sendmail) and sends an email to our
> security group about it.
> It works fine on our RH 7.3 and 9 systems.
> If anyone is interested, I can post it.
Yes, please. Or perhaps someone is willing to host it on a website?
mikea at mikea.ath.cx
Tired old sysadmin
More information about the MailScanner