For example, my father's wife peggy has the domain peggytaggart.com, she ONLY gives out the peggy@ email address for this.
For some unknown reason, the whole domain is popular with spammers. I've added a global rule in my virtusertable to just drop anything not-destined for peggy:
Sep 15 04:07:37 prime sm-mta[42929]: i8F87Mn1042929: <[EMAIL PROTECTED]>...
Not just spammers, but viruses now do this kind of thing, purely automated, common as dirt.
(What's really annoying is that sendmail doesn't log the ip of the remote connection until it's done (if you're blocking them) -- I'd love to be able to create an RBL on this and nip it in the bud).
Yeah, but it's not really that hard to parse it.. Find an "unknown user" message, grab the SMTP ID find the relay line with the same SMTP id.
Simple example using grep:
# grep "User unknown" /var/log/maillog:
Sep 14 09:10:03 xanadu sendmail[14940]: i8EDA3Cw014940: <[EMAIL PROTECTED]>... User unknown
<snip>
# grep "i8EDA3Cw014940" /var/log/maillog
Sep 14 09:10:03 xanadu milter-greylist: i8EDA3Cw014940: testmode: skipping greylist for recipient "<[EMAIL PROTECTED]>"
Sep 14 09:10:03 xanadu sendmail[14940]: i8EDA3Cw014940: <[EMAIL PROTECTED]>... User unknown
Sep 14 09:10:04 xanadu sendmail[14940]: i8EDA3Cw014940: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=SMTP, daem
on=MTA, relay=66.49.69.146.nw.nuvox.net [66.49.69.146]
Also, wouldn't it be a good idea for SpamAssassin to start going off on multiple emails to the same domain from the same address/ip?
IMO, not really.. this is so much better handled by properly configuring your MTA layer tools so you don't accept mail for unknown users.
A milter which auto-detects dictionary attacks by watching the unknown user errors and greylists the offending IP for 24 hours would be a great tool.
Having spamassassin track this kind of thing and add points based on it is a bit of a stretch..
It could be effective, but only for domains that don't have proper tables set up so they only accept email for valid users (ie: secondary MX servers without a call-ahead or ldap check milter). However, on my primary MX it would be useless, as any unknown users instantly bounce with a 500 user unknown and SA will never see it.
