Well, I actually edited the Wikipedia page for
fail2ban, a tool that can block repeated connections from a bad host to network services on a *nix box. Since I've implemented it, the number of email rejections we were getting has dropped by 30% in a week.
I've got it set up so that it monitors the mail log for lines which say "REJECT" and an IP address. We reject mail if it's malformed, is coming from a host we block routinely or via an RBL, or if, duh, it's not addressed to anyone valid in our organisation. "Dictionary attacks" will spew mail at randomly-generated addresses for a given domain, and will generally hit the jackpot at some point. But before it hits that jackpot, if a host IP gets three REJECTions within 5 minutes, their network packets are dropped for 10-15 minutes. As far as the spammer is aware, the server has dropped off the intarwebs - their connection doesn't even get as far as the mail server process. The ban is not unlimited, because someone may have just misconfigured their server, and they should have a chance to fix it. However, that 10-15 minutes is enough to stop them from spraying potentially thousands of messages at our servers, and reduces their chances of those 1 in 10,000 jackpots of an actual valid recipient address. It's not just mail-focussed - it can monitor
any network service that logs authentication or connection attempts to a log file.
Anyways, the Wikipedia article had
nearly been removed last year due to its lack of "notability". Since it's the only tool that works in quite this way, and has been around for a couple of years, it was strange that it was under question. There were a whole pile of links going straight back to the developer's website, though, which isn't particularly a good look. Here's hoping it will not come under fire so much now.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
kikibug13 
