Thanks Terry & Scott,
I think I'll give BlackICE a try. I will let you all know what I think about it.
Anything that does application-level SMTP firewalling should work. I wish there was
simpler a product that I could just run to listen to port 25, filter out the bad
stuff, and pipe the good stuff to Imail through an alternate SMTP port.
Bill
-----Original Message-----
From: Smart Business Lists
Sent: Tue, 17 Sep 2002 08:47:46 -0500
Subject: Re: [Declude.JunkMail] dictionary attacks
Bill,
Monday, September 16, 2002 you wrote:
BB> I have seen talk on the Imail Forum about people attempting to
BB> script something to combat Dictionary Attacks by blocking IPs that
BB> send over too many RCPT TO commands that result in "ERR invalid
BB> user".
I wrote such a program that is currently in use on my servers.
It tails the IMAIL log file and checks for SMTPD ERR lines with
invalid user, etc, and records each entry with the associated IP.
Once a trigger count has been exceeded the program adds the IP to
the SMTPD32.ACC file and toggles the service. Certain IP's have
to be excluded however such as any backup mail servers, client
servers, internal networks, and so on. It is actually thrilling
to watch a client blacklist themselves though. It is amazing to
me that someone can generate so many errors trying to hit the same
wrong e-mail address.
There are a number of significant problems with this approach not
the least of which is the secondary servers. The attack on the
primary stops of course when the service is stopped but most
attackers simply move to one of the secondaries and soon the
secondary is sending the same RCPT TO commands. So you have to do
something different at the secondary and you cannot block it for
obvious reasons.
At the secondary itself even if it is running IMAIL you cannot use
the same program to stop this attack on the primary because the
attack is of course going in the opposite direction. So you have
make some modifications.
And we have have very few attacks that the attacker does not
switch to one of the secondary servers.
In addition the log file is apparently not flushed on each write by
IMAIL so it is not really possible to stop every attack at just
the trigger point. The most that have gotten by my program is
about 15 and that does seem close enough to me.
There are problems also with different IMAIL log file systems,
different domains to be included and excluded, IP ranges that
should be included and excluded, and a number of other issues as
well as a variety of reporting and management options. Eventually
the acc file should be listed, sorted by ip, and then recreated so
that the ip's are added in proper net blocks as I'm convinced that
improves efficiency dramatically.
BB> Or is there anything out there that is already written and
BB> available?
I did not find anything and it took we a while to get my program
running.
I'm running a modified program on the secondary that allows me to
control there as well but that does not work of course in the case
of a non IMAIL secondary.
I am about 90% complete with converting the program to a service,
adding a config file for options, and so on. But haven't decided
whether I'll complete it or not - and that's just for my own use.
In my opinion to make it distributable to a general population
would require considerable additional expenditure of resources for
an end result that is at best tenuous and subject to sudden
incompatibility. Also, I can imagine feature requests and
maintenance being formidable issues.
I think this really should be done by IMAIL inside the smtp
dialogue but even then I am unclear on what to do with the
secondary servers except white list them of course.
BB> I have also seen talk about running BlackICE
BB> (http://www.netice.com/) to automatically block IPs that cause too
BB> many SMTP Errors. Does anybody have an opinion on if this is the
BB> best solution right now?
Roger Heath reported that he had enjoyed good success with this
approach using the Black Ice Server version.
I tried repeatedly over probably a dozen or more e-mail messages
to get a demo of the server version but ISS, the owner of
BlackICE, insisted that I had to use a much more expensive product.
As far as I could find there was no demo product available for the
BlackICE server product. I finally gave up the battle so I never
tested the approach.
I guess the best thing to do would be to pay the $300 for the server
product and see if it works the way you want. If not then you're
just out $300.
There again though I think you'd have to while list the secondary
servers.
You might want to consider doing what I did initially when I began
investigating this whole issue:
You can find a program provided to the IMAIL community by Mike
Lewinski called errors.cgi at http://www.rockynet.com/imail/ that
will allow you to look for SMTPD errors in your log files. That
will tell you any IP you need to block.
Then you can use the IMAIL services web interface now (the usual
8181 interface) to add an IP to your ACC file and you can also
toggle the SMTP service from that interface.
So it is a kind of manual way of doing what I'm doing
programmatically.
Terry Fritts
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
