Len, First off thanks for sharing your ghba.sh and all the work you put into keeping everyone else on the list up to date!
I finally started messing with anvil yesterday and its proving to be a quite useful tool. When looking at the output of ghba.sh its hard to pinpoint my business customers using smtp auth vs legit servers vs the ones that are bad about dictionary attacks. I have put a couple of slight modifications to your ghba.sh to count the number of rejects per IP and the number of successful messages (reject: & client= log entries) into the same report text, making it helpful to tell what each IP is doing when its not anviled. I hope you don't mind me sharing my changes. They are in the following file: http://home.bsc.net/imgate/ghba.sh.txt ( posted url rather than dealing with wrapping issues ). I have been able to find a lot of dictionary attackers using this info. I hope you find my little contribution helpful. -Tom # less /var/tmp/anvil_ptr_sort.txt ================================================= Wed Mar 3 10:26:54 CST 2004 Quantity of anvil blocks per IP smtpd_client_connection_rate_limit = 15 client_rate_time_unit = 1800 ================================================= Anvils Reject Recvd IPAddr Revdns 4 0 22 68.15.217.186 wsip-68-15-217-186.at.at.cox.net. 30 2 54 208.251.150.70 host-70.apid.com. 141 2 75 198.31.62.19 mta.email.orbitz.com. 171 2 119 209.11.164.110 mh.target.m0.net. 4 44 12 205.252.98.45 xl-4.syndicatesales.biz. 31 44 16 205.252.98.46 xl-4.syndicatesales.biz. 73 45 15 205.252.101.172 ds-17.syndicatesales.biz. 78 45 17 205.252.101.173 ds-17.syndicatesales.biz. 1 48 0 65.41.135.235 user235.net714.fl.sprint-hsd.net. 141 99 174 66.63.162.196 iron.thehdhd.com. 25 125 7 209.136.90.86 53 153 2 141.158.130.215 4 194 0 216.65.116.187 72 254 0 65.0.129.233 adsl-0-129-233.pns.bellsouth.net. 844 408 0 209.137.165.254 delmar-209-137-165-254-dsl.cavtel.net.
