dealing with dictionary attacks
Dhawal Doshy
dhawal at netmagicsolutions.com
Mon Mar 5 11:46:13 CET 2007
--[ UxBoD ]-- wrote:
> On Mon, 05 Mar 2007 15:50:48 +0530
> Dhawal Doshy <dhawal at netmagicsolutions.com> wrote:
>
>> --[ UxBoD ]-- wrote:
>>> On Mon, 05 Mar 2007 01:52:28 -0800
>>> Chris Yuzik <itdept at fractalweb.com> wrote:
>>>
>>>> We're beginning to really try to harden our external mail server.
>>>> MailScanner is generally doing great.
>>>>
>>>> As I watch my maillog data flow up my screen, I'm seeing tons of "...
>>>> User unknown" messages and many of them are coming from a handful of IP
>>>> addresses.Obviously, I would like the server's bandwidth and cpu cycles
>>>> to be used for more productive things than dealing with what is (likely)
>>>> a zombie machine running through a list of possible accounts at our domain.
>>>>
>>>> Is there a trustworthy milter that will say, for example, "15 bad email
>>>> addresses to our server within an hour and bang...the sender is
>>>> blacklisted for say 36 hours"?
>>>>
>>>> Thanks
>>> http://policyd.sourceforge.net
>> You do not need a policy server for this.. simply use
>> smtpd_hard_error_limit.. however from the OP's mail it looks like he is
>> a sendmail user..
>>
>> Now for the OP:
>> Did you even google for "your_mta dictionary attack" before asking the
>> list? for sendmail here are the first and second links from google.
>> http://www.technoids.org/dossed.html#3.2
>> http://notbrainsurgery.livejournal.com/23066.html
> Dhawal,
>
> I agree that smtp_hard_error_limit could be used, but the OP is asking about block the remote MTA for a period of time.
> Yes, it does like the OP is using Sendmail so Policyd would not work anyway ;)
oops, as usual i love to be trigger happy..
SEC/Swatch can be used for something like this, example:
http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:rbls:all:your_own_onemore
You can eliminate the database and rbldnsd and start appending "IP:Deny
#Timestamp" to /etc/mail/access (in the correct format for sendmail) and
write another a cron script to cleanup older entries based on the timestamp.
More information about the MailScanner
mailing list