That sounds like a great idea, Jason. Do you think it will stand up to this volume?
-d ----- Original Message ----- From: "Jason" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 05, 2004 12:09 AM Subject: RE: [Declude.JunkMail] Distributed Dictionary Attack > Try running Black ICE on the server. It does a pretty decent job of > auto blocking dictionary attacks. We have it set to close and block a > connection after 6 invalid users from an ip in 30 seconds > > Jason > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty > Sent: Wednesday, February 04, 2004 11:04 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Distributed Dictionary Attack > > > The interesting thing about these messages is that the ones I've seen > generally don't have multi-hop trails. They look like a zombie > connecting directly to the mail server. > > The blocklists are great, but at that volume, I can't run Declude on the > messages without killing the server. So I seem to have two options, > both of which I am using: block the IPs before the server, and issue > invalid user errors. > > One othe thing i noticed this evening that points to a coordinated > effort: There is very little duplication of the "to" addresses. The most > commonly duplicated address was used only about 150 times in a sample of > 275,000 attempts. > > This is a small domain, one of about 500 on my system, and it has maybe > eight or nine mailboxes. > > Country sources include a lot of Korea and Taiwan, and I have actually > blocked some very large blocks of IP addresses in those places based on > the source IPs being well distributed. But there are a lot coming from > Canada and the US, also. I've seen a lot of the usual suspects - > Comcast, Road Runner, and Rogers. > > -Dave > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
