[Dshield] SASL Hacks & Swatch Alternative

David Cary Hart DavidHart at TQMcube.com
Thu Mar 3 19:16:36 GMT 2005

On Thu, 2005-03-03 at 13:57 +0100, Tony Earnshaw wrote:
> David Cary Hart:
> > We are continuing to get attempts to relay mail by hacking at SASL
> > authentication. The problem is solved with strong pwds and swatch watching
> > maillog for failed attempts and then executing a script to immediately add a
> > tarpit rule to IPTables.
> >
> > That said, swatch is a bit messy and, possibly, a tad unstable. I've
> > googled, freshmeated and sourceforged to death without success. Any
> > suggestions? I need a log watcher that can execute a script based upon pcre in
> > real time.
> I don't suppose you've changed your MTA from Postfix ;)

> Can you track down the offending IPs to cidr ranges?

Sure. In fact they are already blocked (we block the entire PRC, Korea
and Taiwan which is where these are coming from). However, the only way
to eliminate the SASL attempt is through IPTables. 

Swatch is now doing it just fine (it has proven to be more stable than I
thought). Now they go to TARPIT on the first attempt.

Total Quality Management - A Commitment to Excellence
Fight Spam: http://www.tqmcube.com/rbldnsd.htm
Daily Updates: rsync -t \

More information about the list mailing list