Email Dictionary Attack

From Sfvlug

This is just some Bourne shell script I whipped up while trying to learn more about a dictionary attack hitting my mail server. Messages not delivered to a real user are dropped into /var/spool/mail/bounce in maildir format. Change the numbers following seq to the start and finish messages desired to check. I'm just posting this here primarily as a scrapbook, and for educational purposes.

for A in `seq 137146 200000` ; do
[ -f ../mail/bounce/$A ] || continue
formail -x To < ../mail/bounce/$A | awk '{print $NF}' | tr -d \\< | tr -d \\> | tr A-Z a-z
done | egrep '$' | sort | uniq -c | less
Personal tools