> > This won't stop "this kind of attack" because there > is nothing in the nature of this attack that requires > a non-reversed IP. If you're worried about stopping > "this attacker," then use tcprules[1] to block connections > from the attacker's IP (or IP block). I would only do > this after trying their abuse contacts. > Well, unfortunately, you can't anticipate in advance which IP address they may use tonight. You can only anticipate that it will probably have no reverse and no MX record. I plan to implement better notification, so that when the next attack starts at 3 a.m. I will get a page, roll out of bed, go thru logs to find the IP address being used, and put my blocks in place, to try to minimize the damage to my customers. Hmmm, maybe I could automate this, if I could find a good way to identify the IP address making frequent multiple connections. Contacting the administrator at crosswinds.net (which I did) will hopefully cause the account to be closed but likely they will just open annother one at free-redhot-email.com and hit someone else tonight. > > Anyway, denying connections from non-reversed IPs > would require putting a shell-script wrapper around > the daemon which checks if TCPREMOTEHOST is set[1]. > However, you may have reservations about doing this > on a high-volume server. > I thought I was already doing a check against non-reversed IP by running tcpserver in the paranoid mode with the -p option, but I guess I am doing it incorrectly or else not understanding it correctly. Dennis
