> At the moment one of my mail servers is being bombarded with delivery
> attempts to unknown users at the rate of thousands every minute
> (bobg@...... bobh@...... etc). Courier is faithfully denying
> them with 550 User Unknown errors. I've extracted all the connecting IPs
> from maillog and have found over 100,000 unique IPs! Some of them are from
> huge ranges of class A addresses. This is the first time I've had this
> happen and I wonder two things:
I doubt that it's really 100,000 unique IPs. Double-check your script.
It's probably in a few thousands' range. That's feasible.
> 1. Who/what is doing this?
A dictionary attacker.
> 2. What can I do to block this behavior.
Use a good blacklist of open proxies. It won't make that much of a
difference; but it will keep the dictionary attacker from picking up a valid
address if tried from a blacklisted IP.
Also, anecdotal evidence suggests that if you install a multiline
esmtpgreeting file, and enable opt BOFHCHECKHELO=1, this'll screw up most