On Sat, 2008-11-29 at 10:29 -0500, Angus McIntyre wrote:

You could use tcpserver to block them with something like

=.hinet.net:allow,RBLSMTPD="-Blocked for trying to break-in",RBLSMTPD="-Blocked for trying to break-in"

The first line blocks anything with reverse dns that maps to *.hinet.net
and the second only matches the ip address. You can match multiple ips
with 1.2.0-1.:allow to match the range


> Lately, my maillog shows large numbers of attempts to relay mail 
> through my host. The attempts show up in the logfile as failed 
> password checks, i.e.
>       vpopmail[19950]: vchkpw-smtp: vpopmail user not
>       found alex@:
> The attackers are trying a sequence of 93 distinct usernames - 
> administrator, alice, alex, andy etc. - and a variety of passwords.
> The majority of the attacks originate from dynamic IPs on Taiwanese 
> ISPs hinet.net and tfn.net.tw.
> I'm not particularly concerned that they'll break in, but I'd like to 
> block them anyway, if only to keep my SMTP ports clear for legitimate 
> traffic.
> Is there a vpopmail equivalent of 'denyhosts' - something that allows 
> a limited number of failed attempts before automatically blocking all 
> subsequent connections from that IP?
> Angus


Reply via email to