[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] How to defend against dictionary attacks?
- Subject: Re: [cobalt-users] How to defend against dictionary attacks?
- From: Richard Siddall <cobalt@xxxxxxxxxxx>
- Date: Thu Apr 15 08:33:01 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Glenn Parsons wrote:
Hello All,
I am seeing, what I think are called 'dictionary attacks,' on my mail
server for users on a regular basis. How can I prevent them, or guard
against them? My logs are not providing an address to block. I can't
tell whom is instigating this!
Apr 14 00:59:14 mail sendmail[8099]: i3E4xEp08099:
<hhb273rdmsxb@xxxxxxxxxx>.
.. No such user here
Apr 14 00:59:14 mail sendmail[8097]: i3E4xEp08097:
<bernard@xxxxxxxxxx>... No
such user here
Apr 14 00:59:14 mail sendmail[8097]: i3E4xEp08097:
<louise@xxxxxxxxxx>... No
such user here
Glenn,
We saw this earlier in the week. It's an e-mail that's being sent to a
large number of common names at a given domain.
SSH into your server and look at /var/log/maillog. Search for the
message number, i3E4xEp08097 in the log snippet above. The last entry
will show you where the message came from. Look at the IP address, not
the faked sender name. (I do a backward search in vi to find the last
entry.)
Regards,
Richard.