På on , 30/04/2003 klokka 12:20, skreiv ODHIAMBO G. Washington:
> After a few days leave, everything has evaporated, so I seriously need
> some help. I have looked at the archives examples and used the following
> acl to try and keep away dictionary scans but it doesn't seem to work:
>
> drop message = *** Dict scan!. Too many bad recipients, $rcpt_fail_count out of $rcpt_count
> condition = ${if > {${eval:$rcpt_fail_count}}{2}{yes}{no}}
> delay = ${eval: ($rcpt_fail_count + 1) * 1}m
> log_message = Dictionary attack
> I've placed this right after the callout acl.
This works for me with 4.14. It right at the top of acl_check_rcpt,
right after a dodgy helo/ehlo ACL and long before deny !verify
= sender or callout:
deny message = Max 2 failed recipients allowed
condition = ${if >{$rcpt_fail_count}{1} {1}}
delay = ${eval: ($rcpt_fail_count) * 30}s
log_message = $rcpt_fail_count failed recipient attempts
I agree with Giuliano, don't drop - they'll probably only begin again.
The idea is to suck blood indefinitely.
I've been trying to think myself into situations where a machine program
would legitimately start trying to send messages to more than two
fictive recipients in a single smtp connection (mailing lists, wrong
details filled into a form, mistakes by a sender etc.), but I haven't
been able to come up with a single one. Maybe somebody could show that
there could be a legitimate reason.
Best,
Tony
--
Tony Earnshaw
Do not come to visit me with both arms the same length.
e-post: tonni@???
www: http://www.billy.demon.nl
Tony Earnshaw
