I've noticed in the last day's a lot of Logfile-Entries like:...
10:21 06:14 SMTPD(0456002E) [207.44.142.84] RCPT TO: <[EMAIL PROTECTED]>
10:21 06:14 SMTPD(0456002E) [207.44.142.84] ERR mail.zcom.it invalid user <[EMAIL PROTECTED]
10:21 06:14 SMTPD(0456002E) [207.44.142.84] RCPT TO: <[EMAIL PROTECTED]>
10:21 06:14 SMTPD(0456002E) [207.44.142.84] ERR mail.zcom.it invalid user <[EMAIL PROTECTED]
10:21 06:14 SMTPD(0456002E) [207.44.142.84] RCPT TO: <[EMAIL PROTECTED]>
10:21 06:14 SMTPD(0456002E) [207.44.142.84] ERR mail.zcom.it invalid user <[EMAIL PROTECTED]
This is a dictionary attack, where the spammer guesses addresses at your domain.
... or if you have a lot of addresses that are otherwise common. Spammers don't care if the language, if they think there is a chance the address may exist on your server.In this test the spider has found only the info-Address, but I can immagine that a scan like this can find a lot more addresses if the users are english.
The main problem is that the attack needs to be stopped before the E-mail is received (when Declude sees it), and IMail doesn't document the format of their IP blacklist files. We have been working on something to help prevent this, but without a way to block it while it is happening, there isn't much that can be done.My question: is there nothing to do against this scans? Can Declude see the Imail-error-messages and create a temporary blocklist, or ist this a job for an external tool that checks regulary the SMTP-Logfile and writes the results for a specific time in the imail-ip-blocklist?
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
