Your experience agrees with what the Black Ice tech told me. Perhaps this will be a duplicate question, but I'll address it to Scott... why can't JunkMail identify and stop dictionary attacks? It would seem like stopping dictionary attacks would be a primary function of anti-spam software.
Is this planned, or even possible with future versions of JunkMail? I'm convince that the Black Ice is not the solution for this problem. Thanks for all the opinions! -JOe ----- Original Message ----- From: "Terry Fritts" <[EMAIL PROTECTED]> To: "Joe Wolf" <[EMAIL PROTECTED]> Sent: Saturday, February 07, 2004 6:00 AM Subject: Re[4]: [Declude.JunkMail] How do they do it? > > I do know that his bottom line was that Black Ice wouldn't do what I > > wanted, but he did try and sell me on the firewall and intrusion > > detection features. > > I have written on this previously. Black Ice does not stop > dictionary attacks per se. It does test errors returned from Imail > and if the number exceeds its threshold (maximum errors returned) > then it will temporarily blacklist the IP address. This is only > slightly better than nothing at all. Imail apparently reports these > either after the SMTP session or after some unknown interval or > event. I've watched one dictionary attack hit more than 4,000 rcpt > to errors without Black Ice being triggered. > > Just for the record I wrote a program which tailed the log file > looking for rcpt to errors and would automatically then add the > offending IP address to the Imail ACL. However, there were many > problems with this. Just as with Black Ice the error information is > just not available from Imail rapidly enough, i.e., the log files > represent history. So I finally stopped it because it was more > trouble than it was help. > > We also began having "0x00000008 Double Fault" errors which I > believed had something to do with Black Ice. I turned it off and > have never had another error since. > > This should be addressed inside the SMTP dialogue. > > > Terry Fritts > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
