[OT] sendmail equivalent of zmailer's MaxSameIpSource ??

[paddy]

On Thu, Dec 30, 2004 at 10:21:01AM -0500, Vlad Mazek wrote:
> There is some excellent code in Vispan that you can tweak to do this
> with sendmail. Essentially scan the maillog for the logged connections
> and write to access.db (or iptables/ipchains) to reject further
> connections. By default Vispan only scans for viruses and spam but you
> can easilly implement that for any host that shows up in the logs.
>
> You can find more about vispan at http://www.while.homeunix.net/mailstats/
>
> -Vlad

Thanks.  One of the things that threw me initially is the paucity of logging for
these connections (LogLevel 9).

The direction I'm currently heading in is something like this:

netstat -n | grep :25 | cut -c45-65 | sed 's/:.*//' | sort  | uniq -c | egrep "^ *[0-9]{2}"

then I'm thinking, poor man's snort:

tcpdump -s0 -w <tracefile> host $IP

'cos I'd like to know what's going on ...

up to some number of connections, after which I'll just block them on the firewalling

I'm also looking to see if there's a setting of sendmail's LogLevel that I'd be more
comfortable with.

The number of connections seems to ramp up over some time (half-an-hour or more) so
I figure sh and cron will be enough for now.

Regards,
Paddy
--
Perl 6 will give you the big knob. -- Larry Wall

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!