On Sat, 2008-11-29 at 10:29 -0500, Angus McIntyre wrote: You could use tcpserver to block them with something like
=.hinet.net:allow,RBLSMTPD="-Blocked for trying to break-in" 114.44.124.32:allow,RBLSMTPD="-Blocked for trying to break-in" ... The first line blocks anything with reverse dns that maps to *.hinet.net and the second only matches the ip address. You can match multiple ips with 1.2.0-1.:allow to match the range 1.2.3.0/23. Shane > Lately, my maillog shows large numbers of attempts to relay mail > through my host. The attempts show up in the logfile as failed > password checks, i.e. > > vpopmail[19950]: vchkpw-smtp: vpopmail user not > found alex@:114.44.124.32 > > The attackers are trying a sequence of 93 distinct usernames - > administrator, alice, alex, andy etc. - and a variety of passwords. > > The majority of the attacks originate from dynamic IPs on Taiwanese > ISPs hinet.net and tfn.net.tw. > > I'm not particularly concerned that they'll break in, but I'd like to > block them anyway, if only to keep my SMTP ports clear for legitimate > traffic. > > Is there a vpopmail equivalent of 'denyhosts' - something that allows > a limited number of failed attempts before automatically blocking all > subsequent connections from that IP? > > Angus > > > !DSPAM:4931668432318333090515!
