dictionary attack

Hey,

There is already a thread on this from a few days back, but I don't want to hijack that thread with my issue.

Last month, we got a new customer, we'll say the domain is xyz.com. It's just a personal site, no scripts at all, just a few articles, etc.

Anyway I've been noticing, at random times, exim has been putting a bit of load on the server. Not too much, but enough to make me uncomfortable. It has made the load go from 0.5 to 1.0 or so. Finally today I checked out what might be the problem. In /var/exim_mainlog, I saw entry after entry of mail being sent to non-existent users on xyz.com. I checked and at the time, there were 55 connections to port 25.

Firstly, :fail: is set on all domains, and we have a script which blocks an IP address if it sends to a non-existent user so many times. It's working, but the attack switches to a different IP address every time one is blocked. I've blocked what I could but the IP's just keep changing.

I can't see much else I can possibly do, so I'm up for any suggestions. thank goodness :fail: is set, and thank goodness we have that script to block IP addresses.

It is the reason this customer switched to us; her previous host didn't try to do anything about the issue when she complained about hundreds of spam emails coming in.

Anyway, any suggestions are greatly appreciated.

Thanks,
Brandon

 

 

 

 

Top