I've noticed in the last day's a lot of Logfile-Entries like:

10:21 06:14 SMTPD(0456002E) [207.44.142.84] RCPT TO: <[EMAIL PROTECTED]>
10:21 06:14 SMTPD(0456002E) [207.44.142.84] ERR mail.zcom.it invalid user <[EMAIL PROTECTED]
10:21 06:14 SMTPD(0456002E) [207.44.142.84] RCPT TO: <[EMAIL PROTECTED]>
10:21 06:14 SMTPD(0456002E) [207.44.142.84] ERR mail.zcom.it invalid user <[EMAIL PROTECTED]
10:21 06:14 SMTPD(0456002E) [207.44.142.84] RCPT TO: <[EMAIL PROTECTED]>
10:21 06:14 SMTPD(0456002E) [207.44.142.84] ERR mail.zcom.it invalid user <[EMAIL PROTECTED]
...

This is a dictionary attack, where the spammer guesses addresses at your domain.

In this test the spider has found only the info-Address, but I can
immagine that a scan like this can find a lot more addresses if the
users are english.
... or if you have a lot of addresses that are otherwise common. Spammers don't care if the language, if they think there is a chance the address may exist on your server.

My question: is there nothing to do against this scans?
Can Declude see the Imail-error-messages and create a temporary
blocklist, or ist this a job for an external tool that checks regulary
the SMTP-Logfile and writes the results for a specific time in the
imail-ip-blocklist?
The main problem is that the attack needs to be stopped before the E-mail is received (when Declude sees it), and IMail doesn't document the format of their IP blacklist files. We have been working on something to help prevent this, but without a way to block it while it is happening, there isn't much that can be done.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


Reply via email to