My log files had grown from 6 MB to 25-33 MB each day just because this dictionary attacks..
"This is just a sample..." 20040617 000001 127.0.0.1 SMTPD (41710ef800c4c39d) [xxxxxxxxxxxxx] connect 200.78.68.159 port 2248 20040617 000001 127.0.0.1 SMTPD (41710ef800c4c39d) [200.78.68.159] ERR mail.fanosa.com invalid user <[EMAIL PROTECTED] 20040617 000001 127.0.0.1 SMTPD (41710ef900c4c39e) [xxxxxxxxxxxxx] connect 200.78.68.159 port 2249 20040617 000001 127.0.0.1 SMTPD (41710ef900c4c39e) [200.78.68.159] ERR mail.fanosa.com invalid user <[EMAIL PROTECTED] 20040617 000001 127.0.0.1 SMTPD (41710efa00c4c39f) [xxxxxxxxxxxxx] connect 200.78.68.159 port 2251 20040617 000001 127.0.0.1 SMTPD (41710efa00c4c39f) [200.78.68.159] ERR mail.fanosa.com invalid user <[EMAIL PROTECTED] 20040617 000001 127.0.0.1 SMTPD (41710efb00c4c3a0) [xxxxxxxxxxxxx] connect 200.78.68.159 port 2252 20040617 000002 127.0.0.1 SMTPD (41710efb00c4c3a0) [200.78.68.159] ERR mail.fanosa.com invalid user <[EMAIL PROTECTED] 20040617 000002 127.0.0.1 SMTPD (41720efc00c4c3a1) [xxxxxxxxxxxxx] connect 200.78.68.159 port 2254 20040617 000002 127.0.0.1 SMTPD (41720efc00c4c3a1) [200.78.68.159] ERR mail.fanosa.com invalid user <[EMAIL PROTECTED] 20040617 000002 127.0.0.1 SMTPD (41720efd00c4c3a2) [xxxxxxxxxxxxx] connect 200.78.68.159 port 2256 20040617 000002 127.0.0.1 SMTPD (41720efd00c4c3a2) [200.78.68.159] ERR mail.fanosa.com invalid user <[EMAIL PROTECTED] I really could use some script that counts 15-20 failed connections from The same IP and then write that addreess to the IP Block file (smtpd32.acc) Does Imail or somebody had done somything about this ?? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, June 21, 2004 11:09 AM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Dictionary Attacks and MX Records dunno if this will help but here is a perl script I use to count ip addresses in the imail sysXXXX.txt files, its quick and dirty but will give you a list of ip addresses that connected to your server and how many times. I run the command line from a bat file for ease of use. The draw back is that dictionary attacks are often done with spam zombies which could keep you busy greppin for a long time. Rick Davidson National Systems Manager North American Title Group - ---------------------------------------------------------------------------- -------------------- #!/usr/bin/perl # Usage: perl ipcount.pl <path to log file> <limit> <path for output file> # # Limit sets the low threshold to weed out the flagrant offenders, this is optional with 300 as the default. # # Usage Example: perl ipcount.pl d:\imail\spool\sys0621.txt 300 >d:\ipcount.txt my $filename, $ip; my $limit = 0; my %iptab; $filename = shift; $limit = shift; if ($limit eq '>' || !$limit){ $limit = 300; } open(FH, $filename) or die "can't open file $filename\n"; while (<FH>){ if ( /\[(.*)\]/o ) { $iptab{$1}++; } } close(FH); foreach $ip (keys %iptab) { if ($iptab{$ip} > $limit) { printf "\t %-16s \t %3s \n", $ip, $iptab{$ip}; } } To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
