[TriLUG] Strange mailserver flood

Brian Daniels bitmage at pobox.com
Wed Apr 30 10:30:20 EDT 2008


On Wed, Apr 30, 2008 at 10:16:38AM -0400, Lance A. Brown wrote:
> Brian Daniels said the following on 4/30/2008 9:28 AM:
> 
> > And after an hour or so, the flood drops back to a steady drip of similarly 
> > addressed messages.
> > 
> > Anyone else seeing these, or have any idea what they're trying to do?
> 
> I'm not seeing this, but perhaps a mail log watcher that adds host-based 
> firewall rules to block offending sites after X "550 user unknown" 
> messages would serve to mitigate the attacks.  Seems like denyhosts or 
> fail2ban could be bent to this task.

We're actually using fail2ban already to block after 2 bad username attempts 
for 30 min, but the flood is still too big/fast.  

--Brian

-- 
Be it thy course to busy giddy minds
With foreign quarrels; that action, hence borne out,
May waste the memory of the former days.
			Henry IV, Part 2
	

Brian Daniels                  bitmage at pobox.com
      http://www.eviloverlord.net




More information about the TriLUG mailing list