----- Original Message ----- From: "Matthew Bramble" <[EMAIL PROTECTED]>
> These attacks can go on for hours and hours and hours. If you've seen > this stuff in your logs, you would see strings like > [EMAIL PROTECTED] 26^8 for instance equals ~210,000,000,000 > addresses. If they've got a database of names, that could probably be > brought down to around 100,000 attempts. Why not write a script that parses the end of the IMail log looking for these attacks and adding the offending IP address to the IMail kill file. The only drawback to this is that I believe the IMail SMTP server needs to be restarted anytime IP addresses are added to the kill file (however, I could be wrong about this). In any case, this would allow you to immediated kill a connection to the IMail server from a dictionary attack leaving these resources available for legitimate mail. > The dictionary attacks don't send E-mail of any value, they are just > used for harvesting addresses. So if the spammer only gets positive > responses to every address, their harvesting time has been completely > wasted. The only time when they dictionary attack a server that accepts > everything would be when their software is not performing properly, or > they are actually trying to DOS a server. There time is also wasted if they cannot add any address because every attempt to connect to your server is blocked. Allowing them to build a database means that you may be setting yourself up for future spam runs to these bogus addresses. > So until IMail delivers functionality that can detect a dictionary > attack, it seems crucial that we leave the nobody aliases on for every > local domain. Personally, I find the drawbacks of having a nobody alias > pointed at me to be more harm than good, which is why I would like to > auto-delete these messages. You raise an important point though about > not having the messages bounced back. I'll have to look into possibly > having an auto response set up in addition to the delete action, which > would probably require two accounts with a single alias directed at it, > or maybe forwarding would work with an autoresponder??? Ouch, that's as bad as sending bounces back to spammers, it does nothing but clog up you delivery queue or spam innocent people whose e-mail addresses were used by joe-jobbers. Killing the connection immediately saves on bandwidth and processing time on your server. You might possibly consider setting up a dedicated mail gateway that can very effectively handle these types of attacks, thus leaving IMail to do what it does best, deliver mail to valid recipients. A Linux/Postfix solution works very well in this regard. Anyway, just my 2 cents... Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
