Dave, I'm just wondering how much load it is to be rejecting these messages at the HELO, provided that you have the nobody alias turned off. That's definitely a ton of load, but if IMail hangs up on it before the message is sent, I'm thinking that the resource hit won't be that bad.
If you want to save yourself some time, and don't get any legit Chinese or Korean traffic, there's a site that has this data in Cisco ACL format as well as others:
http://www.okean.com/asianspamblocks.html
Blackholes.us has text files for other countries, Taiwan for instance, but you would need to code this up for your router from what they provide.
Matt
Jason wrote:
Try running Black ICE on the server. It does a pretty decent job of auto blocking dictionary attacks. We have it set to close and block a connection after 6 invalid users from an ip in 30 seconds
Jason
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Wednesday, February 04, 2004 11:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Distributed Dictionary Attack
The interesting thing about these messages is that the ones I've seen generally don't have multi-hop trails. They look like a zombie connecting directly to the mail server.
The blocklists are great, but at that volume, I can't run Declude on the messages without killing the server. So I seem to have two options, both of which I am using: block the IPs before the server, and issue invalid user errors.
One othe thing i noticed this evening that points to a coordinated effort: There is very little duplication of the "to" addresses. The most commonly duplicated address was used only about 150 times in a sample of 275,000 attempts.
This is a small domain, one of about 500 on my system, and it has maybe eight or nine mailboxes.
Country sources include a lot of Korea and Taiwan, and I have actually blocked some very large blocks of IP addresses in those places based on the source IPs being well distributed. But there are a lot coming from Canada and the US, also. I've seen a lot of the usual suspects - Comcast, Road Runner, and Rogers.
-Dave
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.