sm_dict - the sm_dict script
sm_joejob - the sm_joejob script
465.status-mail-dictionary - the FreeBSD periodic script

Current sm_dict version: 1.3 2004/04/28 22:32:15 Current sm_joejob version: 1.1 2004/04/28 22:32:15

sm_dict checks lines on stdin for sendmail dictionary attacks and reports the first three octets of the attacking IP address, like this: 

    216.170.16 => 9
    80.37.246 => 6
    221.147.216 => 5
    198.65.168 => 4
    195.248.191 => 4
since most attacks (currently) come from compromised netblocks.

sm_joejob detects when you are being joe-jobbed.

Changes

Versions of sm_dict prior to 1.3 did not distinguish between joe-jobs (bounces from mailer daemons) and actual dictionary attacks.

Installation

Place sm_dict in /usr/local/sbin. Place 465.status-mail-dictionary in /etc/periodic/daily.

Now, each day included in the security output will be a list of dictionary attackers. The list includes those of the past 2 days as well, so attacks of the previous two days are always included.

Notes

sm_dict looks for lines that include the sendmail rejection "User unknown". If you have virtusertable "catchall" lines that accept all mail, this program will not be helpful to you.

Try configuring your catchall lines like this: 

@savelogs.org                           nouser
and make sure 'nouser' is neither a real user on your system nor an alias in /etc/mail/aliases. This way, sendmail will reject incoming mail at the RCPT stage of the SMTP handshake (before any DATA is sent) and you'll get a log entry indicating such. To prevent these attacking hosts from finding legitimate users, you add their netblock to your /etc/mail/access file for a time so they will be rejected at the connection phase of SMTP (even earlier than RCPT!). 
216.170.16                   REJECT

Usage

usage: 

  sm_dict /var/log/maillog

examples:

  zcat -f /var/log/maillog* | sm_dict
Scott Wiersdorf
$Id: index.html,v 1.1 2005/08/15 18:25:30 scott Exp $