[IMGate] Blocking dictionary attacks
IMGate does an outstanding job of blocking dictionary attacks in front of my Imail server. But now my IMGate servers are getting bogged down with all of the dictionary attacks. I have more than 50,000 to unknown recipients so far today, as of 8 am, and the day's just starting. It's running into the hundreds of thousands on some days. Does anyone have (know of) a program that can harvest the IP Numbers of the servers doing this so we can block those IPs? I guess I can build a report with grep or something. Would anvil would help? [EMAIL PROTECTED]
[IMGate] Re: Blocking dictionary attacks
IMGate does an outstanding job of blocking dictionary attacks in front of my Imail server. But now my IMGate servers are getting bogged down with all of the dictionary attacks. then something's wrong with your config I have more than 50,000 to unknown recipients so far today, as of 8 am, and the day's just starting. It's running into the hundreds of thousands on some days. are you running anvil? are you running RAV (ok for small volumes) or exporting imail users? Len
[IMGate] Re: Imail bogus connects in high volume
To look at where the connections are coming from? the connections are from Imail to postfix. I'll report whether upgrading from RAV to reject_unliseted_recipient fixes the pb, or not. Judging from the number of IMail users that have Imail screwing up from large volumes of unknown users, I have to say Imail is becoming less acceptable as an MX machine as the volumes go up. Imail is vulnerable as MX. Len
[IMGate] Re: Imail bogus connects in high volume
When I originally set up IMGate, I had to switch from RAV to reject-unlisted-recipient for this very reason. Imail couldn't handle the dictionary attacks, and it couldn't handle the RAV from the dictionary attacks. The whole point of IMGate for us was to take the load and processing power for the dictionary attacks off of Imail. The RAV still connected to Imail to verify the address, rendering IMGate useless as far as Imail was concerned. The only way it would seem to have any effect on the dictionary attacks is with reject-unlisted-recipient. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Wednesday, January 26, 2005 10:45 AM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: Imail bogus connects in high volume To look at where the connections are coming from? the connections are from Imail to postfix. I'll report whether upgrading from RAV to reject_unliseted_recipient fixes the pb, or not. Judging from the number of IMail users that have Imail screwing up from large volumes of unknown users, I have to say Imail is becoming less acceptable as an MX machine as the volumes go up. Imail is vulnerable as MX. Len
[IMGate] Re: Blocking dictionary attacks
We have tens of thousands of users. nothing wrong with that are you running anvil? No, I'm wondering how much that might help. it will help some, maybe a lot, esp if single IPs are connecting above the anvil rate. are you running RAV (ok for small volumes) or exporting imail users? No RAV, we are exporting imail users. then postfix should not be bogging down at all. I've seen an 800 MHz postfix with 512 MB ram reject 50 to 70 unknown users PER SECOND for days with no impact on legit mail flow. postfix is doing how many rejects of unknown users/day? what specfically is bogged down Len
