Home / Browse / Courier Mail Server / Mail / Archive

Courier Mail Server

Email Archive: courier-users (read-only)

[courier-users] annoying dictionary spammers

From: Scott <courier@tr...> - 2004-03-01 23:45

At the moment one of my mail servers is being bombarded with delivery 
attempts to unknown users at the rate of thousands every minute 
(bobg@...... bobh@...... etc).  Courier is faithfully denying 
them with 550 User Unknown errors.  I've extracted all the connecting IPs 
from maillog and have found over 100,000 unique IPs!  Some of them are from 
huge ranges of class A addresses.  This is the first time I've had this 
happen and I wonder two things:

1. Who/what is doing this?
2. What can I do to block this behavior.

I started making firewall rules, but then realized blocking that much traffic 
might block legitimate traffic too.  At least courier is doing a good job 
keeping the load very low on this poor little P3-866MHz with only 256MB RAM. 
  Hooray for that anyway.

-Scott

Thread View

Thread	Author	Date
[courier-users] annoying dictionary spammers	Scott <courier@tr...>

[courier-users] Re: annoying dictionary spammers

From: Sam Varshavchik <mrsam@co...> - 2004-03-02 00:26

Attachments: Message as HTML

Scott writes:

> At the moment one of my mail servers is being bombarded with delivery 
> attempts to unknown users at the rate of thousands every minute 
> (bobg@...... bobh@...... etc).  Courier is faithfully denying 
> them with 550 User Unknown errors.  I've extracted all the connecting IPs 
> from maillog and have found over 100,000 unique IPs!  Some of them are from 
> huge ranges of class A addresses.  This is the first time I've had this 
> happen and I wonder two things:

I doubt that it's really 100,000 unique IPs.  Double-check your script.  
It's probably in a few thousands' range.  That's feasible.

> 1. Who/what is doing this?

A dictionary attacker.

> 2. What can I do to block this behavior.

Use a good blacklist of open proxies.  It won't make that much of a 
difference; but it will keep the dictionary attacker from picking up a valid 
address if tried from a blacklisted IP.

Also, anecdotal evidence suggests that if you install a multiline 
esmtpgreeting file, and enable opt BOFHCHECKHELO=1, this'll screw up most 
dictionary attackers.