Assistance with Dictionary attack

[dwill]

For several months now my logs are showing an attempt to send mail to a non existent account. There are variations to the account name, but always the same 'root' name:
As an example:
davidabc@mydomain.com
davidbbg@mydomain.com
davidtheman@mydomain.com

There are literally thousands of these in a 24 hour period, and they seem to stay 1 step ahead of the RBL's.
The IP address and 'from' address which the messages report to be sent from are not fixed and I rarely see more than 2-3 delivery attempts in a row using the same IP or from address. I'm sure this is a scripted 'abuse' as the logs show from 100 to 200 attempts within a 30 second window to this root name and the IP and from address change every 2nd to 3rd delivery attempt. unfortunately, we do a significant amount of INT'L business and I can't block CHINA and RUSSIA

It appears to be either a dictionary attack or we are the backscatter victim for this campaign.

Although they are not getting delivered and we just drop it, I'm curious as to how others may have implemented a remedy to this. Any advice appreciated.

[raj]

well you cannot stop them from doing dictonery attack
you can do some measures to they use less resources

Greylisting is one way to reduce cpu for dictonery attack.
if you keep your greylisting triplet clean every few days you will see its very effective

Raj

[dwill]

Thanks Raj, I'll read up a bit on the greylisting options. I am hoping for a REGEX or similar option such as david*@mydomain.com since the actual problematic address is unique and will have no effect on other users.

[dwill]

Just a follow up - We are now greylisting and it is catching a few spammers, but I still get tons of dictionary attempts.

Who's up for a "Distributed Black Eye" attack, where we choose team members for each geographical area to personally distribute said black eyes to the offenders?