Blocking IPs after a while

René Berber r.berber at
Wed Jun 20 05:11:18 IST 2007

Marcel Blenkers wrote:

> currently i am seeing a lot of mails towards a user, who does not exist on 
> the mail-server or the system.
> There are a lot of different ips, always trying to send to this specific 
> user. So, they are not changing the to-field, they are always trying to 
> send it to this user..
> There are about 20 different ips trying to send to this user..some of them 
> belong to some *.jp-domains.
> Ok, there is no problem with those ips sending to an unknown user, but 
> they are flooding my maillog ;)
> Is there a chance to block those ips automatically?

Yep, I use milter-error which blacklists them after a given number of errors for
a given amount of time.  Also sendmail's rate control wich tries to slow them
down (and many spammers do try a lot even after receiving the 450 response).

That one is the automatic procedure, I also use a semi-auto procedure adding the
worst offenders to the tcp-wrappers blacklist (my sendmail is built with
tcp-wrapper support).

I have not tried firewall blocking, wich would be better since now sendmail
accepts the connection and shows them the few operations they can do: none
useful to send mail.

> Like vispan for example.
> So i could set up a rule like 
> After 10 unknown users block ip for x hours via access-rule..

Not all offenders act the same, I have some computer in China trying to relay
through our server, once every day, they have been in the hosts.deny list for
more than a year... and keep trying.

> Any ideas are welcome..
> and no, there is no chance to block those ips via firewall, as i do not 
> have the rights to handle the firewall on my own..
> and my provider says, some other users behind the firewall would love to 
> have those mails.. *shrug*
> ok..he could setup an individual rule-set for me..told him that..
> answer: "Then i have to setup individual rulesets for everyone"..
> Thanks in advance..

The log doesn't get much cleaner, the spammers keep trying, the difference is
they don't get the chance to try usernames or anything else, so you see only
"reject" messages.
René Berber

More information about the MailScanner mailing list