At 11:31 AM 4/15/2004, you wrote:
Glenn Parsons wrote:Hello All,I am seeing, what I think are called 'dictionary attacks,' on my mail server for users on a regular basis. How can I prevent them, or guard against them? My logs are not providing an address to block. I can't tell whom is instigating this!Apr 14 00:59:14 mail sendmail[8099]: i3E4xEp08099: <hhb273rdmsxb@xxxxxxxxxx>... No such user hereApr 14 00:59:14 mail sendmail[8097]: i3E4xEp08097: <bernard@xxxxxxxxxx>... Nosuch user here Apr 14 00:59:14 mail sendmail[8097]: i3E4xEp08097: <louise@xxxxxxxxxx>... No such user hereGlenn,We saw this earlier in the week. It's an e-mail that's being sent to a large number of common names at a given domain.SSH into your server and look at /var/log/maillog. Search for the message number, i3E4xEp08097 in the log snippet above. The last entry will show you where the message came from. Look at the IP address, not the faked sender name. (I do a backward search in vi to find the last entry.)Regards, Richard.
Thanks a million Richard!Glenn