dealing with dictionary attacks

[--[ UxBoD ]--]

On Mon, 05 Mar 2007 15:50:48 +0530
Dhawal Doshy <dhawal at netmagicsolutions.com> wrote:

> --[ UxBoD ]-- wrote:
> > On Mon, 05 Mar 2007 01:52:28 -0800
> > Chris Yuzik <itdept at fractalweb.com> wrote:
> > 
> >> We're beginning to really try to harden our external mail server. 
> >> MailScanner is generally doing great.
> >>
> >> As I watch my maillog data flow up my screen, I'm seeing tons of "... 
> >> User unknown" messages and many of them are coming from a handful of IP 
> >> addresses.Obviously, I would like the server's bandwidth and cpu cycles 
> >> to be used for more productive things than dealing with what is (likely) 
> >> a zombie machine running through a list of possible accounts at our domain.
> >>
> >> Is there a trustworthy milter that will say, for example, "15 bad email 
> >> addresses to our server within an hour and bang...the sender is 
> >> blacklisted for say 36 hours"?
> >>
> >> Thanks
> > http://policyd.sourceforge.net
> 
> You do not need a policy server for this.. simply use 
> smtpd_hard_error_limit.. however from the OP's mail it looks like he is 
> a sendmail user..
> 
> Now for the OP:
> Did you even google for "your_mta dictionary attack" before asking the 
> list? for sendmail here are the first and second links from google.
> http://www.technoids.org/dossed.html#3.2
> http://notbrainsurgery.livejournal.com/23066.html
Dhawal,

I agree that smtp_hard_error_limit could be used, but the OP is asking about block the remote MTA for a period of time.
Yes, it does like the OP is using Sendmail so Policyd would not work anyway ;)

-- 
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// SIP:uxbod at sip.splatnix.net


-- 
This message has been scanned for viruses and dangerous content by MailScanner, and is
believed to be clean.