Author: Rossz Vamos-Wentworth Date: To: Exim-users Subject: Re: [Exim] Very anoying virus behavior
Walt Reed wrote: > One of the things I've noticed about this latest email worm is that it
> seems to be doing a namelist attack. Looking at my logs, I'm getting
> hundreds of hits to nonexistant names. Occasionally it finds a valid
> one, which is rejected by exiscan rule.
>
> Anyway, rather than waste my mail servers time and bandwidth, I was
> thinking along the lines of processing the logs looking for the pattern,
> and adding a firewall rule to drop the host. Has anyone done that already or > working on something like this? Greylisting doesn't seem like it would work as > this worm does multiple tries.
I've been getting those hits, too. I've manually blocked a few.
Automating the process shouldn't be that hard. Just a small program
that checked how many invalid addresses have been attempted by an ip
address and invoking iptables when a certain threshhold is reached.
Perhaps a cron job that removed the blocks after a set time (a few days,
perhaps). I did something similar to this for codered and nimda hits,
except there was no "grace" period. The first hit got you blocked.
> Maybe a "infected by worm" DNSBL would work.