Re: [cobalt-users] POP3 Scanning

["Al-Juhani" <aljuhani@xxxxxxxxx>]

Qpopper is not sendmail..

One method is to limit number of connections per minute (default value is 40
times) in /etc/inetd.conf see link below:
http://list.cobalt.com/pipermail/cobalt-users/2002-October/080095.html

-AND-

Use the TCPWrapper to allow pop3 (qpopper) access only to your user IPs. You
will have to get the IPs from them or
check your /var/log/secure or maillog to see what IPs are being used by your
users.

in /etc/hosts.allow add the following:

in.qpopper: localhost, Your.IP.ADD.RE.SS, USERS.IPS

in /etc/hosts.deny add the following:

in.qpopper: ALL

when allowing IPs in the hosts.allow you can:

1. Enter an IP number (if static)
3. Enter the first 3 parts of the IP (111.222.333.)
4. Enter the reverse hostname of the ISP IP being used by your customer
(.isp.net.sa)

There is of course another method that force a limitation on TCP instances
and it can be utilized with inetd to limit number of
connections from one IP.

But above should help ..

then you will see alot of connection refused in your /var/log/secure from
the IPs that are not granted to check Pop3.

Al-Juhani
aljuhani@xxxxxxxxx


----- Original Message -----
From: "VFastlink Support Team" <support@xxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Thursday, February 12, 2004 20:11
Subject: [cobalt-users] POP3 Scanning


>
>   Recently we have seen an increase in POP3 scanning.  The robot will open
a
> POP3 connection and try to login as some user.  When the server says, "No
> such user here", it continues until it finds a valid email account.  I
call
> this trolling for valid mailboxes.  I'm sure there is a more techie term
for
> it.
>
> Anyway, has anyone found a good, solid way to prevent these people from
> doing this?  Even if we could prevent the "No such user" response for
> invalid mailboxes, it would at least render their activities as useless.
>