On Thu, 15 Dec 2005, David F. Skoll wrote:
Jan Pieter Cornet wrote:
An easier solution might be to have a process tail(1) your logfile and
take action on the information there. I think I've even seen something
like that: more than x invalid recipients, and you're firewalled away.
That's much easier. I have a script I run for a similar purpose: It
firewalls off anyone who attempts to log in via SSH with an invalid
password. There are lots of SSH brute-forcers around.
After reading these two paragraphes some worrying struck me:
In opposite to SSH connections you cannot assume that the attacker sits on
"the other side" of a SMTP communication. Maybe the server just relays
the mail or is an huge mail hoster (say, hotmail, gmail, aol), you cannot
firewall them off, just because one Black Sheep is abusing the service?!
Will you really try to differ between home/zombie senders and huge relay
systems, esp. because you do not have no headers to take into account?
Actually, there was a patch for sendmail posted to comp.mail.sendmail for
a feature "drop connection if number of bad recipients exceeds n".
http://groups.google.com/group/comp.mail.sendmail/browse_thread/thread/5203bd02a5d9f8f3
Bye,
--
Steffen Kaiser
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
