LDAP and beyond ......possibly a new Mailscanner feature request

Vlad Mazek vlad at MAZEK.COM
Thu Jan 6 00:44:22 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

You can hack Vispan (probably be faster to write your own snippet) to
parse the maillog and look for a pattern of dictionary attacks coming
from the same IP address (just scan for the maillog for the error code
you are issuing "user unknown") . You _should not_ be giving out more
than 3 failures a day to a server with no PTR record -- They should be
immediately moved to a firewall rule and blocked from contacting the
server completely. Not just because you want to keep the dictionary
attacks off the server but because these "servers" are usually 0wn3d
boxes that will launch random attacks on your network sooner or later.

This is a bit beyond the scope of what MailScanner does as the content
scanner; These kinds of plugins are best left for independant
third-party utilities that you should customize for your environment.

-Vlad

Venkata Achanta wrote:

>We have successfully implemented "Making sendmail only accept mail to
>genuine Exchange users" in our environment,Thanks Kevin.
>
>http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/270.html
>
>However i feel that we are not completely gaining advantage just by doing
>this.
>
>But the spammer is gaining knowledge of what the valid address list is just
>by doing a dictionary attack on the SMTP server i.e We are answering to the
>spammers questions and finally making him knowledgeble about the valid
>users,so that he can more effectively spam.
>
>Is there a way to stop giving out these messages back from sendmail/MTA
>side and also can we blacklist the spammers IP (just like what vispan
>does)?
>
>Can this functionality be included in the Mailscanner if the MTA cant do it
>i.e Instead of kicking back accept the message and track the ip/domain of
>the spammer and blacklist it for a timeframe.
>
>PERM_FAILURE: SMTP Error (state 10): 550 5.0.0 <vi at xyz.com>...User
>unknown
>
>Any sugggestions/ideas ?
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list