Ki Song wrote:
From: Paul Howarth <paul@xxxxxxxxxxxx>
Ki Song wrote:
One reason why the maillog is so huge is because all the messages that are
trying to be sent to this domain (knifecenter.com) that are the target of
spam ... basically, they are sending to any and all potential names in the
knifecenter domain ... for example, a particular server tries to send a
message (probably spam) to: a@xxxxxxxxxxxxxxx, then aa@xxxxxxxxxxxxxxx, then
ab@xxxxxxxxxxxxxxx, then ac@xxxxxxxxxxxxxxx, etc.
The maillog contains all the rejected messages because those addresses do
not exist. How do I continue to reject the messages to erroneous addresses
without showing it in the maillog?
You don't. You firewall off the server that's doing the dictionary
attack and then your mail server will never see the connections from it,
hence no logging.
Isn't that just putting a "bandaid" on the problem ... I mean, isn't the
list of ip addresses that i firewall off eventually going to be too big to
manage?
That may depend on how many different sites attempt dictionary attacks
on your server. I wouldn't expect it to be that large a list really,
unless someone's particularly trying to reach *your* users.
If the above isn't true, is there a central location that people can get a
hold of that has a list of "bad ip" addresses? Similar to Spamassassin's
list?
Not that I know of, but you could take an approach like that of
"denyhosts", which scans log files for ssh attacks and blocks the
offending IPs.
Paul.
