Mailing List SIMS@mail.stalker.com Message #15519
From: Lewis Butler <lbutler@covisp.net>
Subject: Re: dictionary
Date: Tue, 14 Aug 2007 09:51:36 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: Apple Mail (2.752.2)
On Aug 13, 2007, at 11:38 PM, billc wrote:
At 9:17 PM -0500 8/13/07, Lewis Butler wrote:
On Aug 13, 2007, at 9:03 AM, Charles Mangin wrote:
since i took over hosting, all of these dictionary-style spams have been going nowhere, being rejected out of hand with "<<< 550 Unrouteable address". i know i can't do anything more than ignore them and hope they will move on to some other target but... sheesh. six months? with nothing to show for it? you'd think there'd be some sort of list purging in all that time.

Well, you can do something about it, you can blacklist IP addresses that send too many bad messages where too many is a number you chose.

I wish that were true.  Recently the dictionary attacks are coming from completely unrelated IPs - you can sit there and watch the logs roll by and know that it's a dictionary attack, but none of the IPs match any other.  It's obviously a botnet or an IP spoofing scheme. Blacklists likely won't help much there.

Well, my server already subjects anything that looks like a possible dynamic IP to extra scrutiny, and I find that the zen rbl list does a pretty fine job keeping caught up on the botnets, still, zen doesn't prevent them connecting.

I did notice in your one minute log that there were several different connections, but all were dumping dozens of addresses, right?

I would like to see a solution where frequent dumps like that resulted in being added to a local rbl of sorts, but the fact is that parsing the maillog that frequently is expensive.


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster