From: Anthony Howe
Date: 2004-10-08 09:57:04 -0400
Subject: Re: Stopping dictionary attacks
More information..: http://www.milter.info/#Support
Jose Nathaniel G. Nengasca wrote:
> I have so much on my logs using dictionary attacks (guessing usernames) on
> my email server from email with <>, is there any way to stop this kind of
> attacks, like adding them to the blacklist automatically when the user does
> not exists on my server .AND. from <> senders?
A similar question was asked last month and I answered: no. See
Some of those "attacks" might actually be callbacks from another
milter-sender or similar system to test if the address exists. It would
be almost impossible to tell the difference between a call-back from a
legit machine and dictionary probing. One of the failings of the
callback technique is that it could be used by spammers to indirectly
probe other systems. (Though I thought I addressed this in an update
last year with an option.)
You would have to obverse some patterns and maybe use milter-limit in
conjunction with milter-sender to allow only a certain number of tests /
connections per hour or day from suspicious servers.
Another alternatively might be to try running with milter-gris before
milter-sender and use grey listing to discourage the spammers. Not sure
how well this would work. Be interesting to see results.
Also use Sendmail 8.13.1 with the FEATURE(`greet_pause', 10). This does
Anthony C Howe +33 6 11 89 73 78
7116561 AIM: Sir Wumpus
"Once...we were here." - Last of The Mohicans
Copyright 2009, 2012 by SnertSoft. All rights reserved.