I think I might have been asking the question the other way around, though I'm not positive it was taken the wrong way.
The theory here is that domains which accept every E-mail address in the HELO won't be dictionary attacked past a few attempts because the attacker's software will quickly determine that the attack isn't exposing any addresses due to a catch all situation. So maybe adding the nobody alias back in, and redirecting that E-mail to an account that deletes each E-mail automatically will resolve the issue of dictionary attacks?
I see this stuff in my logs on occasion, but it never happens for a prolonged period of time. I'm thinking this is because 90% of my domains had nobody aliases. Unless someone only wants to DOS my server, dictionary attacking a domain with a nobody alias is a waste of their processing power just like it is a waste of mine.
Matt
Nick Hayer wrote:
Hi Matt,
Yes. I get hammered everyday..; I got rid of the nobody alias, filter the log files for the ip's that connected - and add them to my Imail Access control list. Currently that list contains nearly 10,000 ip's...Is anyone getting dictionary attacked for long periods of time on a domain with a nobody alias or something that is gatewayed?
Thanks,
-Nick Hayer
Matt
Fritz Squib wrote:
Hey guys, this sounds like same problem that I have been experiencing, however it has been a bunch of spam with c.c. 's to non-existant mail addresses on my server (dictionary attack style) ..My DNS is working fine.
I spent the weekend returning mail from the old spool to a new spool that I had to create.
I had around 67,000 of these buggers to deal with...no fun.
All of the mail seems to be originating from dsl and cable modems with forged return addresses.
My server is swamped again today - started again about 2-3 hours ago.
Fritz
Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net
() ascii ribbon campaign - against html mail /\ - against microsoft attachments
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
