We get about 3 dictionary attacks on our servers each day. Its really
annoying.
I'm trying to come up with a way to combat them -- can anyone drop me
some pointers they use, or help me flesh out the following idea:
Here's my proposed idea
----
under acl_check_rcpt:
if a "rejected RCPT $ADDRESS: Unrouteable address" error is tripped,
we log the timestamp/datetime in two dbs -- once with the senderIP,
another with the senderAddress
under acl_check_connect:
we query the 2 dbs to see if there were 10 or more entries for the ip
or sender address within the last 3 minutes
this assumes that a dictionary attack will have 10+ guesses in 3
minutes. usually, they seem to work in 1,3,8 second intervals against
our servers
the senderaddress blocking might be too much, in case its spoofed.
maybe it would be either IP or sender_address + ip, as our spammers
tend to not cycle the sender address
comments? suggestions on how to pull it off?
