Tom Kistner wrote:
Marc Perkel wrote:
Basicly my idea is that when a dictionary tack occurs I want to block
the IP address for a short period of time as a load reduction trick with
the chain being cleared every few minutes.
I've been doing this for a few months with very good results. Not to
reduce the load, but unclutter the logs :)
Everyone submitting spam or being matched against an RBL is put on the
blacklist for five minutes. This does wonders for the log size and
readability.
I do this via a script I called "timeban". It's universal so it can be
used for other blocking purposes as well. Handles management of a
blocking chain. Can also manage counters per-IP so you can block IPs
after multiple infractions ... useful for SSH dictionary "attacks" too.
Maybe I'll write some short docs next week and put it in the wiki.
/tom
Tom,
Might that tool also be adaptable to putting bogus/forged HELO
strings into an ephemeral "timeban'ed" list?
We see a number of attacks wherein the IP's change (Zombie
farm?) but either the addressees or the HELO is the same.
Thanks,
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
