On Sat, 2008-11-29 at 10:29 -0500, Angus McIntyre wrote:
You could use tcpserver to block them with something like
=.hinet.net:allow,RBLSMTPD="-Blocked for trying to break-in"
188.8.131.52:allow,RBLSMTPD="-Blocked for trying to break-in"
The first line blocks anything with reverse dns that maps to *.hinet.net
and the second only matches the ip address. You can match multiple ips
with 1.2.0-1.:allow to match the range 184.108.40.206/23.
> Lately, my maillog shows large numbers of attempts to relay mail
> through my host. The attempts show up in the logfile as failed
> password checks, i.e.
> vpopmail: vchkpw-smtp: vpopmail user not
> found alex@:220.127.116.11
> The attackers are trying a sequence of 93 distinct usernames -
> administrator, alice, alex, andy etc. - and a variety of passwords.
> The majority of the attacks originate from dynamic IPs on Taiwanese
> ISPs hinet.net and tfn.net.tw.
> I'm not particularly concerned that they'll break in, but I'd like to
> block them anyway, if only to keep my SMTP ports clear for legitimate
> Is there a vpopmail equivalent of 'denyhosts' - something that allows
> a limited number of failed attempts before automatically blocking all
> subsequent connections from that IP?