On Wednesday 13 April 2005 1:01 pm, you wrote: > Hi, > Today I start to get something like that in my qmail-smtpd log:
>snip> > And I know that the IP's used can change... > I think that somebody with some user password for smtp is making this, but > I can't determine from where or which account he is using. I have no logs > for smpt-auth user success or failed... > > Please, somebody could give me some light to stop that? You probably are receiving a dictionary scan from infected PC's. Be sure to use rblsmtpd against one or more of the good rbl sites. Another thing you can do is scan for frequent IP's to bad users in the smtp log files and build new tcp.smtp deny lines. Ken Jones
