On Wednesday 26 Oct 2005 22:51, ISP Lists wrote:
> CHKUSER 2.0.8b on qmail 1.03 and vpopmail 5.4.10.
> I LOVE that CHKUSER can single out the unknown recipients and block the
> offending SMTP session - big traffic control helper!  However, I've got
> one domain that's really being hit hard by dictionary attacks.  Some
> attack traffic is a few hits from many IPs, other traffic is many hits
> from few IPs.
> What I'd like to do is get something that's like an IDS that reads log
> output for CHKUSER rejections - currently only outputting to
> /var/log/qmail/smtp/current

cat current | grep 'CHKUSER rejected rcpt:' | tai64nlocal >> mylog
then write a perl script to pull the ip addresses into a list and compare with 
what you already have in tcp.smtp

> and have that information parsed for the specific domain and have the
> offending sender IP stuffed into a database (probably with a timestamp).
> Then I would build some scripted logic to query the database to figure out
> if I've been hit N number of times from an IP in a certain window of time;
> thus the trigger to update tcp.smtp with the offender.
> I think I might go ahead and just "compile" the tcp.smtp at each pass,
> that way I can keep tcp.smtp as compact as possible.  Those who've stopped
> being naughty are taken off the blocklist eventually.  Almost an RBL
> mentality I guess.  (and yes, I AM running with the Spamhaus RBL also).
> I gotta believe some smart person already built this, but I don't know if
> it's called something specific.  Big challenge for me is how to keep an
> eye on a logfile for any particular time (particularly given DJB's arcane
> date values in the above log file) and not end up reprocessing data I've
> already seen.
> Help appreciated and thanks!
> Dave.

Bob Hutchinson
Midwales dot com

Reply via email to