Today found that QMail mail system maillog inside a large number of "user not found" information, through the following log is not difficult to find, is from the same IP many different users connect QMail mail system authentication failed information. Hackers try to decode the QMail mail system's username and password in this way, sending a lot of spam and virus messages.
A large number of concurrent connections consumes the performance of the qmail system, even when the normal message cannot be sent or received in a serious time, the connection SMTP timeout occurs. Through the Linux iptables the IP address can be blocked, the following is my written iptables script, if there is a mistake, please correct me.
The logical structure of the script is basically: analyze the statistic system Maillog log, take out the attacker's IP address, Then compare it to the server's iptables script (iptables.sh), if the IP address is not inside iptables.sh, add a drop policy to iptables.sh, then send a message to the system administrator and reload iptables.sh.
Here's a test of how this script works and manually execute the script.
[Root@mail sh]# SH add_badip_iptables.sh
Check the Badip.txt file, which adds the IP address information that is being attacked.
Check the system administrator's mailbox also results received by users of the alarm message.