without giving too much away about how i've implemented this..... Basically -- Greylisting (triplet based) Throttleing -- User Based agaist triplet scoring Remote IP --Against tries/retries
Eg the last virus to do the rounds, that .Y or .Z depending on your AV, basically tried to send x million virus to said addressess.. Spool em if over X and worry about em seperate (if doing user based scanning!!!) else set a throttle for domain based only allowing maybe 25 users trys soon as u get a fail - grey list and out she goes (not an MD feature) run sender verify & helo arg checks against sending host (as well as RBL etc) (add to spam score accordingly) Run Ldap against your recip server (you do run MD as a gateway not a terminating MTA??) Remember all valid mail servers will resend the mail within a reasonable time period.... spammers won't You can reduce your recieved spam by about 60ish% using this (since you never receive it) the rest is caught by spam assasin -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alex Moore Sent: 15 December 2005 21:06 To: mimedefang@lists.roaringpenguin.com Subject: [Mimedefang] dictionary attacks looking for a valid user I have not seen this topic discussed. BTW, I appreciate the recent thread on greylisting. Spammer scenario: A spammer tries many times to find a user with something like a dictionary attack or a list of commonly used user names. How can I setup a rule in MIMEDefang to define those transactions? Say when a smtp server tries 10 times within a short time period and is sent a 550 code each time. I think that it would appropriate to have MD just blacklist that address. Is that possible? I want to ignore them completely after this event has occurred. Ideas? Thanks, Alex -- _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang This Email Has Been Anti-Virus Scanned _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang