>How can I setup a rule in MIMEDefang to define those transactions? Say >when a smtp server tries 10 times within a short time period and is sent >a 550 code each time. I think that it would appropriate to have MD just >blacklist that address. Is that possible? I want to ignore them >completely after this event has occurred.
I rarely see dictionary attacks from a single relay. Recently the majority of such attacks on my systems seem to be of distributed origin using random #/letter user names. They come in waves, sometimes a day or two of several thousand per hour, from various random sources, then it calms down for a while. I suspect some type of bot is at work. Another one is repeated attempts with the same dictionary word from distributed senders: Dec 29 00:14:17 yyy sendmail[24179]: jBT6EHL2024179: from=<>, size=2387, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=ccemb.ccebos.org [129.10.148.248] Dec 29 00:14:17 yyy sendmail[24179]: jBT6EHL2024179: <[EMAIL PROTECTED]>... User unknown Dec 29 00:30:46 yyy sendmail[24837]: jBT6UjLL024837: from=<>, size=3517, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=relay02.mail-hub.dodo.com.au [202.136.32.45] Dec 29 00:30:46 yyy sendmail[24837]: jBT6UjLL024837: <[EMAIL PROTECTED]>... User unknown Dec 29 01:06:01 yyy sendmail[25599]: jBT7618I025599: from=<>, size=2345, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=flpvm03.prodigy.net [207.115.20.33] Dec 29 01:06:01 yyy sendmail[25599]: jBT7618I025599: <[EMAIL PROTECTED]>... User unknown Dec 29 01:50:23 yyy sendmail[26650]: jBT7oMjr026650: from=<>, size=3173, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=mail02.cnemedia.com [67.103.45.213] Dec 29 01:50:23 yyy sendmail[26650]: jBT7oMjr026650: <[EMAIL PROTECTED]>... User unknown [Repeats several hundred times within a day or two. Sometimes multiple ongoing attacks with different dictionary words.] Another scenario which I don't understand is numerous attempts with the same recipient in a short period of time: Dec 26 03:49:11 yyy sendmail[30146]: jBQ9nBWF030146: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mail01k.rapidsite.net [131.103.218.196] Dec 26 03:49:11 yyy sendmail[30146]: jBQ9nBWF030146: <[EMAIL PROTECTED]>... User unknown Dec 26 03:49:11 yyy sendmail[30154]: jBQ9nBG6030154: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mail01k.rapidsite.net [131.103.218.196] Dec 26 03:49:11 yyy sendmail[30154]: jBQ9nBG6030154: <[EMAIL PROTECTED]>... User unknown Dec 26 03:49:11 yyy sendmail[30148]: jBQ9nAba030148: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mail01k.rapidsite.net [131.103.218.196] Dec 26 03:49:11 yyy sendmail[30148]: jBQ9nAba030148: <[EMAIL PROTECTED]>... User unknown Dec 26 03:49:11 yyy sendmail[30150]: jBQ9nAmi030150: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mail01k.rapidsite.net [131.103.218.196] Dec 26 03:49:11 yyy sendmail[30150]: jBQ9nAmi030150: <[EMAIL PROTECTED]>... User unknown Dec 26 03:49:11 yyy sendmail[30153]: jBQ9nBvs030153: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mail01k.rapidsite.net [131.103.218.196] [repeats 10 or 15 more times within a minute or so] Alan _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
