Bill, Monday, September 16, 2002 you wrote: BB> I have seen talk on the Imail Forum about people attempting to BB> script something to combat Dictionary Attacks by blocking IPs that BB> send over too many RCPT TO commands that result in "ERR invalid BB> user".
I wrote such a program that is currently in use on my servers. It tails the IMAIL log file and checks for SMTPD ERR lines with invalid user, etc, and records each entry with the associated IP. Once a trigger count has been exceeded the program adds the IP to the SMTPD32.ACC file and toggles the service. Certain IP's have to be excluded however such as any backup mail servers, client servers, internal networks, and so on. It is actually thrilling to watch a client blacklist themselves though. It is amazing to me that someone can generate so many errors trying to hit the same wrong e-mail address. There are a number of significant problems with this approach not the least of which is the secondary servers. The attack on the primary stops of course when the service is stopped but most attackers simply move to one of the secondaries and soon the secondary is sending the same RCPT TO commands. So you have to do something different at the secondary and you cannot block it for obvious reasons. At the secondary itself even if it is running IMAIL you cannot use the same program to stop this attack on the primary because the attack is of course going in the opposite direction. So you have make some modifications. And we have have very few attacks that the attacker does not switch to one of the secondary servers. In addition the log file is apparently not flushed on each write by IMAIL so it is not really possible to stop every attack at just the trigger point. The most that have gotten by my program is about 15 and that does seem close enough to me. There are problems also with different IMAIL log file systems, different domains to be included and excluded, IP ranges that should be included and excluded, and a number of other issues as well as a variety of reporting and management options. Eventually the acc file should be listed, sorted by ip, and then recreated so that the ip's are added in proper net blocks as I'm convinced that improves efficiency dramatically. BB> Or is there anything out there that is already written and BB> available? I did not find anything and it took we a while to get my program running. I'm running a modified program on the secondary that allows me to control there as well but that does not work of course in the case of a non IMAIL secondary. I am about 90% complete with converting the program to a service, adding a config file for options, and so on. But haven't decided whether I'll complete it or not - and that's just for my own use. In my opinion to make it distributable to a general population would require considerable additional expenditure of resources for an end result that is at best tenuous and subject to sudden incompatibility. Also, I can imagine feature requests and maintenance being formidable issues. I think this really should be done by IMAIL inside the smtp dialogue but even then I am unclear on what to do with the secondary servers except white list them of course. BB> I have also seen talk about running BlackICE BB> (http://www.netice.com/) to automatically block IPs that cause too BB> many SMTP Errors. Does anybody have an opinion on if this is the BB> best solution right now? Roger Heath reported that he had enjoyed good success with this approach using the Black Ice Server version. I tried repeatedly over probably a dozen or more e-mail messages to get a demo of the server version but ISS, the owner of BlackICE, insisted that I had to use a much more expensive product. As far as I could find there was no demo product available for the BlackICE server product. I finally gave up the battle so I never tested the approach. I guess the best thing to do would be to pay the $300 for the server product and see if it works the way you want. If not then you're just out $300. There again though I think you'd have to while list the secondary servers. You might want to consider doing what I did initially when I began investigating this whole issue: You can find a program provided to the IMAIL community by Mike Lewinski called errors.cgi at http://www.rockynet.com/imail/ that will allow you to look for SMTPD errors in your log files. That will tell you any IP you need to block. Then you can use the IMAIL services web interface now (the usual 8181 interface) to add an IP to your ACC file and you can also toggle the SMTP service from that interface. So it is a kind of manual way of doing what I'm doing programmatically. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.