<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"\@SimSun";
        panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:Arial;
        color:windowtext;}
@page Section1
        {size:612.0pt 792.0pt;
        margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
        {page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=black face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;color:black'>Why don’t you give a try to <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;color:black'> <a href="http://www.ossec.net/">http://www.ossec.net/</a><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;color:black'>Ossec is doing block with IPTABLES<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;color:black'>Regards<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;color:black'>davor<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;color:black'><br>
>>> Dhawal Doshy <dhawal@netmagicsolutions.com> 3/5/2007 11:46
AM >>><br>
--[ UxBoD ]-- wrote:<br>
> On Mon, 05 Mar 2007 15:50:48 +0530<br>
> Dhawal Doshy <dhawal@netmagicsolutions.com> wrote:<br>
> <br>
>> --[ UxBoD ]-- wrote:<br>
>>> On Mon, 05 Mar 2007 01:52:28 -0800<br>
>>> Chris Yuzik <itdept@fractalweb.com> wrote:<br>
>>><br>
>>>> We're beginning to really try to harden our external mail server.
<br>
>>>> MailScanner is generally doing great.<br>
>>>><br>
>>>> As I watch my maillog data flow up my screen, I'm seeing tons
of "... <br>
>>>> User unknown" messages and many of them are coming from a
handful of IP <br>
>>>> addresses.Obviously, I would like the server's bandwidth and
cpu cycles <br>
>>>> to be used for more productive things than dealing with what
is (likely) <br>
>>>> a zombie machine running through a list of possible accounts
at our domain.<br>
>>>><br>
>>>> Is there a trustworthy milter that will say, for example,
"15 bad email <br>
>>>> addresses to our server within an hour and bang...the sender
is <br>
>>>> blacklisted for say 36 hours"?<br>
>>>><br>
>>>> Thanks<br>
>>> <a href="http://policyd.sourceforge.net/">http://policyd.sourceforge.net</a><br>
>> You do not need a policy server for this.. simply use <br>
>> smtpd_hard_error_limit.. however from the OP's mail it looks like he
is <br>
>> a sendmail user..<br>
>><br>
>> Now for the OP:<br>
>> Did you even google for "your_mta dictionary attack" before
asking the <br>
>> list? for sendmail here are the first and second links from google.<br>
>> <a href="http://www.technoids.org/dossed.html#3.2">http://www.technoids.org/dossed.html#3.2</a><br>
>> <a href="http://notbrainsurgery.livejournal.com/23066.html">http://notbrainsurgery.livejournal.com/23066.html</a><br>
> Dhawal,<br>
> <br>
> I agree that smtp_hard_error_limit could be used, but the OP is asking
about block the remote MTA for a period of time.<br>
> Yes, it does like the OP is using Sendmail so Policyd would not work
anyway ;)<br>
<br>
oops, as usual i love to be trigger happy..<br>
<br>
SEC/Swatch can be used for something like this, example:<br>
<a
href="http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:rbls:all:your_own_onemore">http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:rbls:all:your_own_onemore</a><br>
<br>
You can eliminate the database and rbldnsd and start appending "IP:Deny <br>
#Timestamp" to /etc/mail/access (in the correct format for sendmail) and <br>
write another a cron script to cleanup older entries based on the timestamp.<br>
-- <br>
MailScanner mailing list<br>
mailscanner@lists.mailscanner.info<br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website! <br>
<br>
-- <br>
This message has been scanned for viruses and<br>
dangerous content by MailScanner, and is<br>
believed to be clean.</span></font><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></p>
</div>
</body>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</html>