On Fri, 2004-06-25 at 16:14, Aaron S. Joyner wrote: > In general, we see an awful lot of dictionary attacks here at Intrex, > and it's not something we process the logs or firewall against to > block. Be very careful with setting up automated systems that monkey > with your firewall rules, it can have very unfortunate results if > someone decides to exploit the way you have it setup, and even more > likely, accidents and floods of mail to users who don't exist do happen > naturally. Twould be bad to block yahoo or aol because some newbie on > their service made a few typos or cut-n-pasted his mother's address > wrong 50 times into his forwarding list (stranger things have happened). > > Also, note that processing the logs during a dictionary attack can get > very processor-intensive, especially if you're not careful in your regex > writing (I didn't even look closely at Jon's example, this in no way > should be interpreted as a reflection on his code). Just be careful > that you're not doing more work in defense, than you're saving from the > minimal overhead of "550 user not found in local recipients table". :) > > Either way, I'm curious to hear how it turns out. :) > Best of luck, > Aaron S. Joyner
You could expand the earlier script and add a nospamdb file (using ip's that should be ignored by the script. To do so, simply add a line to exit the script if the ip is in your nospamdb file: if (`grep -wq $BADIP nospamdb`); then exit; fi Also, with a bit of trial and error you can gauge just how many entries will be in your info file after a minute of being attacked, and instead of grepping the whole file, you can simply grep the end of the file. To grep the last 200 entries: tail -200 $INFO |grep $ENTRIES |grep " 550 " | ... This is extremely fast and makes the script take under a second to execute. Jon -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
