|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Blacklist and address based on "User unknown"
From: Noel Jones (njones
megan.vbhcs.org)
Date: Tue Jan 02 2007 - 15:52:17 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 03:39 PM 1/2/2007, Crayon wrote:
>On Wednesday 03 January 2007 05:26, Noel Jones wrote:
>
> > You can implement this with a logwatcher script,
>
>I know, but, so I take it there's no postfix mechanism I can leverage?
No, nothing built into postfix that will help with this project.
One suggestion is to use the "pipe" feature of most modern syslogd
programs to pipe the mail.log stream to your program rather than
using tail to actually watch the log file. That way you don't have
to worry about log rotation, etc.
> > but IMHO a single
> > mail to an unknown user is a poor indicator of a malicious host.
>
>Based on the mail logs can I quite confidently state that false positives
>will be less than 1 in a 1000. In any case they would only be blacklisted
>temporarily but for increasing lengths of time for persistent offenders
>and there would be a limit to the maximum time - to avoid DOS.
>
> > If you arrange for your script to block after N unknown users and 0
> > valid users, that might be more reasonable.
>
>I would probably arrange it so that they would be removed from the
>blacklist after 1 valid user. Anyway specific details would be fine tuned
>once it's operational :)
The usefulness of this idea is inversely proportional to the size of
your user base. The more users you have, the more likely you will be
blacklisting innocent servers. For a small user base, this may be a
reasonable thing to so. Good luck.
--
Noel Jones
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]