Re: [exim] Dealing with dictionary attacks

I've got teergrubing installed via sa-exim at local_scan

Haven't tried stalling tactics -- but thats kinda what i want to do.
I've been manually adding offenders to a permanent blacklist. I feel
uneasy automating that, as one of our clients that we host had a virus
laden machine and we ended up blocking his whole company before we
realized it was him.

Anyways, these attempts seem to be multiple smtp connections from virus
boxes -- chances are I want them out for good, but I'd feel safer with
a temporary blacklist based on failed recipients.

==

On Jan 31, 2005, at 12:30 PM, Michael F. Sprague wrote:

> Have you tried using stalling tactics (delay) and/or dropping the
> connection
> if there are many failed recipients? These tactics work but unless
> you grab
> and add the sending host's IP address to a blacklist, they'll just
> come back
> and try again. :)

On Jan 31, 2005, at 12:29 PM, Tabor J. Wells wrote:

> Search the exim-users list archive for "teergrubing" or "tarpit". There
> are some examples in the list archives using delay and
> $rcpt_fail_count to
> increase the delay time based on the number of failed recipients.