You're looking for the fact that the same IP address is not filling up the logs with error messages. At most you should see only a few error messages from the same IP address, spaced widely apart.
Maybe my definition of "a few" is too low:
Jan 31 01:08:11 indra courieresmtpd: started,ip=[::ffff:218.81.228.26]
Jan 31 01:08:22 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:27 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:30 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:34 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:34 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:38 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:46 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:50 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:50 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:09:11 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:09:19 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:09:23 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:09:23 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:10:18 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:10:24 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:10:28 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:11:59 indra courieresmtpd: started,ip=[::ffff:218.81.228.26]
Jan 31 01:11:59 indra courieresmtpd: started,ip=[::ffff:218.81.228.26]
It continues on like that for another 10 or so before logging a connection timeout. I've noticed that *most* connections like this only get 3-5 messages in (about 25-30 seconds apart), but occasionally one will sneak through and send 30+ like this without much delay between them (which is what led me to wonder if the tarpit was being activated). Obviously, the tarpit works, since most connections seem to get shut down pretty quickly, but I'm curious why some of these occasionally slip through.
-Chris
------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
