CHKUSER 2.0.8b on qmail 1.03 and vpopmail 5.4.10.

I LOVE that CHKUSER can single out the unknown recipients and block the
offending SMTP session - big traffic control helper!  However, I've got
one domain that's really being hit hard by dictionary attacks.  Some
attack traffic is a few hits from many IPs, other traffic is many hits
from few IPs.

What I'd like to do is get something that's like an IDS that reads log
output for CHKUSER rejections - currently only outputting to

/var/log/qmail/smtp/current

and have that information parsed for the specific domain and have the
offending sender IP stuffed into a database (probably with a timestamp). 
Then I would build some scripted logic to query the database to figure out
if I've been hit N number of times from an IP in a certain window of time;
thus the trigger to update tcp.smtp with the offender.

I think I might go ahead and just "compile" the tcp.smtp at each pass,
that way I can keep tcp.smtp as compact as possible.  Those who've stopped
being naughty are taken off the blocklist eventually.  Almost an RBL
mentality I guess.  (and yes, I AM running with the Spamhaus RBL also).

I gotta believe some smart person already built this, but I don't know if
it's called something specific.  Big challenge for me is how to keep an
eye on a logfile for any particular time (particularly given DJB's arcane
date values in the above log file) and not end up reprocessing data I've
already seen.

Help appreciated and thanks!
Dave.

Reply via email to