Current sm_dict version: 1.3 2004/04/28 22:32:15 Current sm_joejob version: 1.1 2004/04/28 22:32:15
sm_dict checks lines on stdin for sendmail dictionary attacks and reports the first three octets of the attacking IP address, like this:
216.170.16 => 9 80.37.246 => 6 221.147.216 => 5 198.65.168 => 4 195.248.191 => 4since most attacks (currently) come from compromised netblocks.
sm_joejob detects when you are being joe-jobbed.
Now, each day included in the security output will be a list of dictionary attackers. The list includes those of the past 2 days as well, so attacks of the previous two days are always included.
Try configuring your catchall lines like this:
@savelogs.org nouserand make sure 'nouser' is neither a real user on your system nor an alias in /etc/mail/aliases. This way, sendmail will reject incoming mail at the RCPT stage of the SMTP handshake (before any DATA is sent) and you'll get a log entry indicating such. To prevent these attacking hosts from finding legitimate users, you add their netblock to your /etc/mail/access file for a time so they will be rejected at the connection phase of SMTP (even earlier than RCPT!).
usage: sm_dict /var/log/maillog examples: zcat -f /var/log/maillog* | sm_dictScott Wiersdorf