[OT] sendmail equivalent of zmailer's MaxSameIpSource ??

Vlad Mazek vlad at MAZEK.COM
Sat Jan 1 17:14:58 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Probably better than what we're doing, at least for a single server for
realtime blocking. I did something similar earlier in my career and it
wasn't pretty - our primary routes went down and I had all the mail
flowing through a single T1... the server got clogged up with
attachments,  connections started crawling and I ended up firewalling
every major ISP in the United States :)

You might want to resolve those addresses too and check against major
providers. I regularly have few hundred connections from legit ISP's
(especially foreigners) on production servers so you might want to have
an exclusion list and some sort of a backend db to track these drops
over time (most of the folks we block are notorious repeat offenders or
open relays and such).

-Vlad

paddy wrote:

>netstat -n | grep :25 | cut -c45-65 | sed 's/:.*//' | sort  | uniq -c | egrep "^ *[0-9]{2}"
>
>then I'm thinking, poor man's snort:
>
>tcpdump -s0 -w <tracefile> host $IP
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list