Keith,
I've been seeing a sharp uptick in this sort of activity as well. Typically they include about 200 generic E-mail addresses, but some are now throwing thousands of addresses for a fuller attack. If the E-mail is going to a locally hosted domain, the best defense is to remove the nobody alias as this will stop the attempts dead at the envelope and save lots of processing power. If this is gatewayed E-mail, a solution becomes much more involved as you will need to install a different product that can do address verification for non-IMail addresses and reject at the envelope (and maintain a database of such addresses).
Regarding blocking the IP's, while I'm sure you could parse them out of your logs, they tend to attack from zombies, and typically use many at the same time. Each attack seems to use different sets of zombies as well. My feeling is to just simply let it go on because I don't want to waste too much time blocking IP's at the router or SMTP envelope that change constantly.
Matt
Keith Purtell wrote:
I'm having a new experience with our mail server. Suddenly I'm getting numerous dictionary attacks from different IP addresses. At first I blocked the IP addresses in IMail SMTP Security, but after adding a dozen I got tired. I'd rather detect the pattern and automatically stop it that way. Any tips?
Keith Purtell, Web/Network Administrator VantageMed Corporation (Kansas City office) Voice: (816) 801-5200 Fax: (816) 880-4776 (800) 525-1101
CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
