The script runs from a cron job and checks the mail logs for excessive
"User unknown" hits from an IP address. The original version uses IP
routing commands to ignore all incoming connections, but it's easy enough
to adapt it to other actions (we have it add the IP to our local
blacklist, for instance).
You might also look into Sendmail's BAD_RCPT_THROTTLE feature. It doesn't
block them, but it'll slow them down a bit.
I use a solution with the Bad Rcpt Throttle and a POP Before SMTP daemon
that works very well by monitoring the maillogs.
Essentially, it monitors the logs and modifies IPTables to block the sender.
We've been using it for WELL over a year now with only one user complaint
ever.
http://www.peregrinehw.com/downloads/sendmail/sendmail-8.12.X/untarred/contrib/poprelay-RCPT_Throttle/
Also, for my own personal setup since I use virtusertables as well, I have
set a very hard-coded check in filter_recipient like this:
if ($recip =~ /[EMAIL PROTECTED]>?$/i) {
if ($recip !~
/^<?(wellsfargo|sbc|paypal|aclu|amazon|congress|gd-algorithms|ign|register|classmates.com|dean|ecost|eff|eharmony|empeg|ice|publicknowledge.org|vtalum|yahoo)/i)
{
md_syslog('warning', "Rejecting $recip - Custom munged No Such User");
return ('REJECT', "No such user here");
}
}
It's not perfect but something you might be able to build on.
One of these days, I have sourceforge rights to merge my poprelayd back with
the master one but time is never on my side. However, it's a good thing to
have that is constantly scanning the maillogs and I've built lots of little
proprietary tweaks onto it.
Regards,
KAM
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
