Hi, so I recently migrated to a new server and since the migration been getting thousands of emails to non existent accounts every day (coincidence? maybe. I don't know) I did keep the same ip, just a different box with the same host.
I think it is a dictionary attack, but not sure. Each attack is coming from a different ip address and each ip address is sending 100-200 emails at a time. They are coming from every country on the list including the united states and each one is a different domain name. Some are even using comcast and spectrum ips. All 100+ emails from each ip are happening in a 1 second time frame. Most of them are rejected by sender verify, but some make it to "no such user here" reject. As far as I can tell these attacks seem to be harmless and exim/cpanel/spamassassin are doing their jobs, but it's destroying the logs.
It seems like exim is ratelimiting them somehow, but I don't know for sure. Wondering if anyone knows of a way to do something like this:
If 10.20.30.40 sends more than 5 emails to a non-existent account, then block 10.20.3.40
thanks,
I think it is a dictionary attack, but not sure. Each attack is coming from a different ip address and each ip address is sending 100-200 emails at a time. They are coming from every country on the list including the united states and each one is a different domain name. Some are even using comcast and spectrum ips. All 100+ emails from each ip are happening in a 1 second time frame. Most of them are rejected by sender verify, but some make it to "no such user here" reject. As far as I can tell these attacks seem to be harmless and exim/cpanel/spamassassin are doing their jobs, but it's destroying the logs.
It seems like exim is ratelimiting them somehow, but I don't know for sure. Wondering if anyone knows of a way to do something like this:
If 10.20.30.40 sends more than 5 emails to a non-existent account, then block 10.20.3.40
thanks,
Last edited by a moderator: