RE: [cobalt-users] How to defend against dictionary attacks?

[Glenn Parsons <gparsons@xxxxxxxxxxxxx>]

At 03:18 PM 4/15/2004, you wrote:
> > >We saw this earlier in the week.  It's an e-mail that's
> > being sent to a
> > >large number of common names at a given domain.
> > >
> > >SSH into your server and look at /var/log/maillog.  Search for the
> > >message
> > >number, i3E4xEp08097 in the log snippet above.  The last
> > entry will show
> > >you where the message came from.  Look at the IP address,
> > not the faked
> > >sender name. (I do a backward search in vi to find the last entry.)
> > >
> > >Regards,
> > >
> > >         Richard.
> >
> > Thanks a million Richard!
> >
>
> I bet when you get the IP if you run it through http://openrbl.org/
> you'll find it blacklisted by a number of sites.
> --

Good point! They are. However, I have no means other than ipchains to block 
them, now.

I used to run my RBLs through sendmail, but management was concerned about 
false positives. And I know that here were some. So I gave in and now run 
my RBLs through SpamAssassin.

Any decent way to detect this kind of flood? If I could detect it, I could 
insert the offending IP in ipchains and later look up the CIDR. These 
pinheads were on three different IPs, but same CIDR.

I appreciate the help, Dan! And ALL!

Glenn