On Wednesday 26 Oct 2005 22:51, ISP Lists wrote: > CHKUSER 2.0.8b on qmail 1.03 and vpopmail 5.4.10. > > I LOVE that CHKUSER can single out the unknown recipients and block the > offending SMTP session - big traffic control helper! However, I've got > one domain that's really being hit hard by dictionary attacks. Some > attack traffic is a few hits from many IPs, other traffic is many hits > from few IPs. > > What I'd like to do is get something that's like an IDS that reads log > output for CHKUSER rejections - currently only outputting to > > /var/log/qmail/smtp/current
cat current | grep 'CHKUSER rejected rcpt:' | tai64nlocal >> mylog then write a perl script to pull the ip addresses into a list and compare with what you already have in tcp.smtp > > and have that information parsed for the specific domain and have the > offending sender IP stuffed into a database (probably with a timestamp). > Then I would build some scripted logic to query the database to figure out > if I've been hit N number of times from an IP in a certain window of time; > thus the trigger to update tcp.smtp with the offender. > > I think I might go ahead and just "compile" the tcp.smtp at each pass, > that way I can keep tcp.smtp as compact as possible. Those who've stopped > being naughty are taken off the blocklist eventually. Almost an RBL > mentality I guess. (and yes, I AM running with the Spamhaus RBL also). > > I gotta believe some smart person already built this, but I don't know if > it's called something specific. Big challenge for me is how to keep an > eye on a logfile for any particular time (particularly given DJB's arcane > date values in the above log file) and not end up reprocessing data I've > already seen. > > Help appreciated and thanks! > Dave. -- ----------------- Bob Hutchinson Midwales dot com -----------------