Chris Petersen writes:
You're looking for the fact that the same IP address is not filling up the logs with error messages. At most you should see only a few error messages from the same IP address, spaced widely apart.
Maybe my definition of "a few" is too low:
Jan 31 01:08:11 indra courieresmtpd: started,ip=[::ffff:218.81.228.26]
Jan 31 01:08:22 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:27 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:30 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:34 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:34 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:38 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:46 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:50 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:08:50 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:09:11 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:09:19 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:09:23 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:09:23 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:10:18 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:10:24 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:10:28 indra courieresmtpd: error,relay=::ffff:218.81.228.26,from=<[EMAIL PROTECTED]>,to=<[EMAIL PROTECTED]>: 550 User unknown.
Jan 31 01:11:59 indra courieresmtpd: started,ip=[::ffff:218.81.228.26]
Jan 31 01:11:59 indra courieresmtpd: started,ip=[::ffff:218.81.228.26]
It continues on like that for another 10 or so before logging a connection timeout. I've noticed that *most* connections like this only get 3-5 messages in (about 25-30 seconds apart), but occasionally one will sneak through and send 30+ like this without much delay between them (which is what led me to wonder if the tarpit was being activated). Obviously, the tarpit works, since most connections seem to get shut down pretty quickly, but I'm curious why some of these occasionally slip through.
Because eventually they will hit a valid mailbox. No tarpit is perfect.
Furthermore, the default configuration allows a maximum of four simultaneous connections from the same IP address. Any in excess are silently dropped, and not even logged. It's not obvious but your logs do show the attacker trying to use multiple connections.
No tarpit is 100% effective, but without it you'd have even longer logs, and even more crap in the mailboxes.
pgpVC5UO5h4Xt.pgp
Description: PGP signature
