CHKUSER 2.0.8b on qmail 1.03 and vpopmail 5.4.10. I LOVE that CHKUSER can single out the unknown recipients and block the offending SMTP session - big traffic control helper! However, I've got one domain that's really being hit hard by dictionary attacks. Some attack traffic is a few hits from many IPs, other traffic is many hits from few IPs.
What I'd like to do is get something that's like an IDS that reads log output for CHKUSER rejections - currently only outputting to /var/log/qmail/smtp/current and have that information parsed for the specific domain and have the offending sender IP stuffed into a database (probably with a timestamp). Then I would build some scripted logic to query the database to figure out if I've been hit N number of times from an IP in a certain window of time; thus the trigger to update tcp.smtp with the offender. I think I might go ahead and just "compile" the tcp.smtp at each pass, that way I can keep tcp.smtp as compact as possible. Those who've stopped being naughty are taken off the blocklist eventually. Almost an RBL mentality I guess. (and yes, I AM running with the Spamhaus RBL also). I gotta believe some smart person already built this, but I don't know if it's called something specific. Big challenge for me is how to keep an eye on a logfile for any particular time (particularly given DJB's arcane date values in the above log file) and not end up reprocessing data I've already seen. Help appreciated and thanks! Dave.