[TriLUG] Strange mailserver flood
Brian Daniels
bitmage at pobox.com
Wed Apr 30 10:30:20 EDT 2008
On Wed, Apr 30, 2008 at 10:16:38AM -0400, Lance A. Brown wrote:
> Brian Daniels said the following on 4/30/2008 9:28 AM:
>
> > And after an hour or so, the flood drops back to a steady drip of similarly
> > addressed messages.
> >
> > Anyone else seeing these, or have any idea what they're trying to do?
>
> I'm not seeing this, but perhaps a mail log watcher that adds host-based
> firewall rules to block offending sites after X "550 user unknown"
> messages would serve to mitigate the attacks. Seems like denyhosts or
> fail2ban could be bent to this task.
We're actually using fail2ban already to block after 2 bad username attempts
for 30 min, but the flood is still too big/fast.
--Brian
--
Be it thy course to busy giddy minds
With foreign quarrels; that action, hence borne out,
May waste the memory of the former days.
Henry IV, Part 2
Brian Daniels bitmage at pobox.com
http://www.eviloverlord.net
More information about the TriLUG
mailing list