Try running Black ICE on the server. It does a pretty decent job of auto blocking dictionary attacks. We have it set to close and block a connection after 6 invalid users from an ip in 30 seconds
Jason -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Wednesday, February 04, 2004 11:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Distributed Dictionary Attack The interesting thing about these messages is that the ones I've seen generally don't have multi-hop trails. They look like a zombie connecting directly to the mail server. The blocklists are great, but at that volume, I can't run Declude on the messages without killing the server. So I seem to have two options, both of which I am using: block the IPs before the server, and issue invalid user errors. One othe thing i noticed this evening that points to a coordinated effort: There is very little duplication of the "to" addresses. The most commonly duplicated address was used only about 150 times in a sample of 275,000 attempts. This is a small domain, one of about 500 on my system, and it has maybe eight or nine mailboxes. Country sources include a lot of Korea and Taiwan, and I have actually blocked some very large blocks of IP addresses in those places based on the source IPs being well distributed. But there are a lot coming from Canada and the US, also. I've seen a lot of the usual suspects - Comcast, Road Runner, and Rogers. -Dave --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
