Ray Collett wrote: > I was wondering if anyone had made some extensions/rules to scan > sendmail logs for spam attempts?
No, but sendmail has options to limit those (rate limits in access DB), and then... > I've recently been under siege from > the script kiddies trying to send mail to every possible user in their > database. I use milter-error to blacklist temporarily those repeated attempts, and also... > I've got thousands of "User Unknown" errors from the same > relay that I'd love to deny. Since I built sendmail with tcp_wrappers support, I permanently blacklist those. > I've also had a lot of brute-force POP3 > login attempts. Anyone do anything with Dovecot logs? Pop3 is very rare, only seen one attack and it was successful: they did get the password for user oracle but didn't do them any good, that user has no email and it has no access to login into the machine. Sendmail well configured is no problem, just the annoyance of logs filled with REJECT messages, plus the real dictionary attacks (which in Solaris show in authlog) from people trying to use the server as relay by breaking a TLS/SSL password, usually with non existent users like "anonymous" and "webmaster". The problem with the last ones is that saslauthd does not record the IP, so you have to check sendmail's "possible SMTP attack: command=AUTH" message. So the answer to your question is no, I don't use DenyHosts with sendmail. Perhaps in the future, but there is no great need for it. -- René Berber ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
