At the moment one of my mail servers is being bombarded with delivery attempts to unknown users at the rate of thousands every minute ([EMAIL PROTECTED] [EMAIL PROTECTED] etc). Courier is faithfully denying them with 550 User Unknown errors. I've extracted all the connecting IPs from maillog and have found over 100,000 unique IPs! Some of them are from huge ranges of class A addresses. This is the first time I've had this happen and I wonder two things:
I doubt that it's really 100,000 unique IPs. Double-check your script. It's probably in a few thousands' range. That's feasible.
1. Who/what is doing this?
A dictionary attacker.
2. What can I do to block this behavior.
Use a good blacklist of open proxies. It won't make that much of a difference; but it will keep the dictionary attacker from picking up a valid address if tried from a blacklisted IP.
Also, anecdotal evidence suggests that if you install a multiline esmtpgreeting file, and enable opt BOFHCHECKHELO=1, this'll screw up most dictionary attackers.
pgp00000.pgp
Description: PGP signature
