I wish I could find some way, either with a version roll or even just using ResEdit, to increase the 20 minute setting. I regularly cull through my logs for "tempbanned" IP's and put them in my permanent blacklist. It would be so much easier and probably more fair to have them automatically banned for, say, 48 hours.
At 11:22 AM -0700 10/18/02, Pete Stephenson wrote: >>Recent observation of (non-SIMS) mail receiver log shows >>three types of "interesting" activity: >> >>1) Failed attempted relays, from various addresses to a limited set of >><RCPT TO>, >> obviously looking for open relays. >>2) Short SMTP transactions, ending with <RSET>; no message sent, possibly >> just checking validity of local address. >>3) Like (2), but ending with a disconnect instead of a <RSET>. > >[snip] > >>Is there a mechanism for detecting case #2 and #3 in SIMS? >>How is it logged? > >As far as I know, no. > >However, if a remote host tries to send mail to three non-existant addresses, SIMS >will hold the line for 10 seconds. After that time elapses, if they get another >address wrong, another 10 seconds. After that, another address, another 10 seconds. >After the third time, it tempbans the remote host for 20 minutes. > >It's quite effective, I've noticed, at stopping harvesters. It is these harvesters >which are consuming most of the bandwidth on my server, scanning for addresses. Grr. >-- >Pete Stephenson >HeyPete.com > >############################################################# >This message is sent to you because you are subscribed to > the mailing list <[EMAIL PROTECTED]>. >To unsubscribe, E-mail to: <[EMAIL PROTECTED]> >To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> >To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> >Send administrative queries to <[EMAIL PROTECTED]> ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
