I've been watching my mail logs fill up with dictionary attacks, and have been thinking about a way to teergrube (tarpit) them.
What I'd like to do is to add an entry to a database whenever there's a 450 (User unknown) error. I would track the IP address of the machine that connected, as well as the time of the error.
Then, when a new connection is made, I look up the connection in the database and if there's been another connection in the past 10 minutes or so, I pause for a few minutes before sending the 450.
If I wanted to be really nasty, once my software's decided that there's a dictionary attack going on, I could stop sending 450's back and start sending OK for all addresses (with a pause, of course) just to keep the TCP connection open.
I may be able to do this using Postfix 2.1's policy server, but I'm not yet sure.
