Being dictionary spammed. Solutions?

[nothsa]

Hi,

I have an account on my server that has been getting dictionary spammed over the last few days. I have RBL's in place so most of them don't get through, and the ones that do get through are rejected (no valid RCPT). I've set BFD to block port 25 on the offending IP after 10 failed attempts, but the spammer later switches to another IP and starts again, and gets blocked again, then switches to another IP, etc. etc. I'm guessing he's just using zombie machines.

Does anyone have a solution for this, or at least something better than what I'm doing now? I don't even know where to start

Thanks

[chirpy]

http://www.configserver.com/free/eximdeny.html

Rememboer to replace any occurences of :blackhole: or /dev/null in /etc/valiases/* with :fail: and I'd recommend deleting the BFD exim check as it's not such a great idea (as I've mentioned in previous posts).

[nothsa]

Awesome! Thanks Chripy

[nothsa]

A quick question regarding this mod, Chirpy:

Since installing this, it's added 5 IP addresses to my /etc/exim_deny file, however, a search through my exim_rejectlog (greping for "dictionary attack") only turns up 3 IPs and none of those 3 are in the exim_deny file.

Am I missing something?

[EDIT]I just saw the addition to your last post, and I've already checked for :blackhole:'s, but it appears that they're all set to :fail: already [/EDIT]

[chirpy]

Try searching your exim_mainlog instead of exim_rejectlog instead.

[lostinspace]

Curious,

Is there a way to set :fail: globally for existing accounts? I know I can use the tweak settings to do this for new accounts.

[chirpy]

Yup: http://forums.cpanel.net/showthread.php?t=30987