The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Chirpy's dictionary attack solution - not working in some cases

Discussion in 'General Discussion' started by denisdekat09, Jun 23, 2006.

  1. denisdekat09

    denisdekat09 Well-Known Member

    Joined:
    Mar 2, 2002
    Messages:
    265
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Francisco
    Hello,

    Anyone getting dictionary attacks that are getting trough? I noticed this today:

    2006-06-23 20:36:05 H=(FOX-1J1AC99C) [222.145.246.58] F=<IrwinChampion6v@doctor.com> rejected RCPT <harmon@summitawards.com>:
    2006-06-23 20:36:05 H=(FOX-1J1AC99C) [222.145.246.58] F=<IrwinChampion6v@doctor.com> rejected RCPT <hardy@summitawards.com>:
    2006-06-23 20:36:05 H=(FOX-1J1AC99C) [222.145.246.58] F=<IrwinChampion6v@doctor.com> rejected RCPT <hanson@summitawards.com>:
    2006-06-23 20:36:05 H=(FOX-1J1AC99C) [222.145.246.58] F=<CraigOdomni@australiamail.com> rejected RCPT <hansen@summitawards.com>:
    2006-06-23 20:36:07 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<MayraBoucherq0@soon.com> rejected RCPT <stanley@summitawards.com>:
    2006-06-23 20:36:07 H=(FOX-1J1AC99C) [222.145.246.58] F=<HansBabbl2@europe.com> rejected RCPT <hampton@summitawards.com>:
    2006-06-23 20:36:08 H=(FOX-1J1AC99C) [222.145.246.58] F=<NanetteMccalldv@execs.com> rejected RCPT <hammond@summitawards.com>:
    2006-06-23 20:36:08 H=(FOX-1J1AC99C) [222.145.246.58] F=<NanetteMccalldv@execs.com> rejected RCPT <hamilton@summitawards.com>:
    2006-06-23 20:36:08 H=(FOX-1J1AC99C) [222.145.246.58] F=<NanetteMccalldv@execs.com> rejected RCPT <hale@summitawards.com>:
    2006-06-23 20:36:08 H=(FOX-1J1AC99C) [222.145.246.58] F=<DellaMcgillyt@optician.com> rejected RCPT <guzman@summitawards.com>:
    2006-06-23 20:36:09 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<KrisKendallar@email.com> rejected RCPT <spencer@summitawards.com>:
    2006-06-23 20:36:09 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<ReidBaca0x@pediatrician.com> rejected RCPT <soto@summitawards.com>:
    2006-06-23 20:36:09 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<ReidBaca0x@pediatrician.com> rejected RCPT <snyder@summitawards.com>:
    2006-06-23 20:36:10 1Ftw87-0002MK-KD <= gprpjoih@womeningames.com H=(adsl-69-233-128-22.dsl.scrm01.pacbell.net) [69.233.128.22] P=smtp S=32106 id=002301c69726$1ecd4c42$56a4e945@howek
    2006-06-23 20:36:10 H=(FOX-1J1AC99C) [222.145.246.58] F=<EdmundCarey5d@hot-shot.com> rejected RCPT <gutierrez@summitawards.com>:
    2006-06-23 20:36:10 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<HenryWhitten68@priest.com> rejected RCPT <sims@summitawards.com>:
    2006-06-23 20:36:10 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<HenryWhitten68@priest.com> rejected RCPT <simpson@summitawards.com>:
    2006-06-23 20:36:10 H=(FOX-1J1AC99C) [222.145.246.58] F=<RobbieReynalj@priest.com> rejected RCPT <griffith@summitawards.com>:
    2006-06-23 20:36:10 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<PollyDalyxv@australiamail.com> rejected RCPT <silva@summitawards.com>:
    2006-06-23 20:36:10 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<PollyDalyxv@australiamail.com> rejected RCPT <shelton@summitawards.com>:
    2006-06-23 20:36:11 H=(FOX-1J1AC99C) [222.145.246.58] F=<LupeFaulknerhf@mad.scientist.com> rejected RCPT <gregory@summitawards.com>:
    2006-06-23 20:36:11 H=(FOX-1J1AC99C) [222.145.246.58] F=<LupeFaulknerhf@mad.scientist.com> rejected RCPT <greene@summitawards.com>:
    2006-06-23 20:36:11 H=(FOX-1J1AC99C) [222.145.246.58] F=<LupeFaulknerhf@mad.scientist.com> rejected RCPT <graves@summitawards.com>:
    2006-06-23 20:36:11 H=(FOX-1J1AC99C) [222.145.246.58] F=<LupeFaulknerhf@mad.scientist.com> rejected RCPT <grant@summitawards.com>:
    2006-06-23 20:36:11 1Ftw87-0002MK-KD => darcy@kaosmosis.com <kaos@kaosmosis.org> R=lookuphost T=remote_smtp H=mx1.photon.net [216.147.195.252]
    2006-06-23 20:36:11 1Ftw87-0002MK-KD Completed
    2006-06-23 20:36:11 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<BeauBirdln@winning.com> rejected RCPT <shaw@summitawards.com>:
    2006-06-23 20:36:11 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<BeauBirdln@winning.com> rejected RCPT <sharp@summitawards.com>:
    2006-06-23 20:36:11 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<BeauBirdln@winning.com> rejected RCPT <schultz@summitawards.com>:
    2006-06-23 20:36:11 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<BeauBirdln@winning.com> rejected RCPT <schneider@summitawards.com>:
    2006-06-23 20:36:11 H=(FOX-1J1AC99C) [222.145.246.58] F=<KatelynHendricks9r@winning.com> rejected RCPT <graham@summitawards.com>:
    2006-06-23 20:36:11 H=(FOX-1J1AC99C) [222.145.246.58] F=<KatelynHendricks9r@winning.com> rejected RCPT <gordon@summitawards.com>:
    2006-06-23 20:36:11 H=(FOX-1J1AC99C) [222.145.246.58] F=<KatelynHendricks9r@winning.com> rejected RCPT <goodwin@summitawards.com>:
    2006-06-23 20:36:11 H=(FOX-1J1AC99C) [222.145.246.58] F=<KatelynHendricks9r@winning.com> rejected RCPT <goodman@summitawards.com>:
    2006-06-23 20:36:11 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<KristaNicholsuh@geologist.com> rejected RCPT <schmidt@summitawards.com>:
    2006-06-23 20:36:11 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<KristaNicholsuh@geologist.com> rejected RCPT <santos@summitawards.com>:
    2006-06-23 20:36:11 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<KristaNicholsuh@geologist.com> rejected RCPT <salazar@summitawards.com>:
    2006-06-23 20:36:12 H=(z6u31.o0dm.rr.com) [222.145.246.58] F=<KristaNicholsuh@geologist.com> rejected RCPT <ryan@summitawards.com>:
    2006-06-23 20:36:12 H=(FOX-1J1AC99C) [222.145.246.58] F=<DoreenJeffersvo@graphic-designer.com> rejected RCPT <gomez@summitawards.com>:
    2006-06-23 20:36:12 H=(FOX-1J1AC99C) [222.145.246.58] F=<DoreenJeffersvo@graphic-designer.com> rejected RCPT <glover@summitawards.com>:
    2006-06-23 20:36:12 H=(FOX-1J1AC99C) [222.145.246.58] F=<DoreenJeffersvo@graphic-designer.com> rejected RCPT <gilbert@summitawards.com>:
    2006-06-23 20:36:12 H=(FOX-1J1AC99C) [222.145.246.58] F=<DoreenJeffersvo@graphic-designer.com> rejected RCPT <gibson@summitawards.com>:


    I think they are not being rejected as they are rejected RCPT already, it is not getting the dictionary attack block as per usual. Other things are getting blocked. Am I worng here on this one? Or should the dictionary attack thing block this as well?

    Thanks!
     
  2. RickG

    RickG Well-Known Member

    Joined:
    Feb 28, 2005
    Messages:
    238
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    North Carolina
    I run into the same thing frequently. The spammer (or software they use) seems to be aware of when they will get cut off and change the from sender just before their IP "qualifies" to be dropped.

    Look in Chirpy's code for the following in the drop message section:
    Code:
    condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
    You may need to reduce the {3} value to something lower. At this stage I have mine set to 1.
     
  3. denisdekat09

    denisdekat09 Well-Known Member

    Joined:
    Mar 2, 2002
    Messages:
    265
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Francisco
    I thought about that too, but I was seeing groups of four and more at a time.

    I changed it to 2 for now :)

    thanks for the help!
     

Share This Page