Dictionary Scans And Smtp Timeouts
I have a couple of customers who in the past had "Catchalls" enabled on a different system. Now since we moved these people the spammers are still hammering these accounts with massive dictionary attacks. This leads to smtp timeouts. Meaning all available connections get used up. (Catchalls are NOT being used now as they are evil things) :)
What I know about these attacks.
1. They send about 20 messages going up through the alphabet from a unique ip.
2. It pauses and then about 5 seconds later another 20 come in from a different IP. (It picks up alphabetically from where it left off even)
3. This goes on until about 100,000 or so messages are sent. Then it goes away for a while and then starts over again.
I am seeing smtpd connections taking a while to release. This leads to timeouts and retries from external mail servers.
I can't obviously block based on IP because it appears they have a unlimited amount of IP's to use.
On other systems I employed tarpitting as so. After 8 consecutive connections per ip the subsequent connections are "slowed" down to 10 secs per connection. This seems to work real well.
I don't really see anything out there for tarpitting with Postfix and greylisting is not a option.
This is becoming more and more typical. This type of dictionary attack. So has anyone came across this and what did you do to mitigate it.
EDIT:: I found this .. I am going to play with it
Improving Anti-spam system - ZimbraWiki