On the SMTP > Advanced tab, there is a setting for "Delay between recipients", typically 0 by default. This is a time in milliseconds and it can be increased without obvious effect for normal operation to a value of 500 or even 1000. If your server can handle about 3 messages a second over a prolonged period outside of Declude, you might set the value at 500 (allowing for a little extra processing power to handle legitimate E-mail). This would mean that any local or external sender that tried to To, CC or BCC a message to say 100 addresses on your server, would take 50 seconds just to have your server respond to all of the RCPT TO commands. I had mine set to 1000 for the longest time without any reports of problems except for one person that mailed out messages to just under 100 addresses (which would take almost 2 minutes for his E-mail program to report that the message was delivered). I dropped it down a little while ago, but I'm going to pump it back up to 500 again.
Matt
Matt wrote:
Keith,
I've been seeing a sharp uptick in this sort of activity as well. Typically they include about 200 generic E-mail addresses, but some are now throwing thousands of addresses for a fuller attack. If the E-mail is going to a locally hosted domain, the best defense is to remove the nobody alias as this will stop the attempts dead at the envelope and save lots of processing power. If this is gatewayed E-mail, a solution becomes much more involved as you will need to install a different product that can do address verification for non-IMail addresses and reject at the envelope (and maintain a database of such addresses).
Regarding blocking the IP's, while I'm sure you could parse them out of your logs, they tend to attack from zombies, and typically use many at the same time. Each attack seems to use different sets of zombies as well. My feeling is to just simply let it go on because I don't want to waste too much time blocking IP's at the router or SMTP envelope that change constantly.
Matt
Keith Purtell wrote:
I'm having a new experience with our mail server. Suddenly I'm getting
numerous dictionary attacks from different IP addresses. At first I blocked
the IP addresses in IMail SMTP Security, but after adding a dozen I got
tired. I'd rather detect the pattern and automatically stop it that way. Any
tips?
Keith Purtell, Web/Network Administrator VantageMed Corporation (Kansas City office) Voice: (816) 801-5200 Fax: (816) 880-4776 (800) 525-1101
CONFIDENTIALITY NOTICE: This email message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply email and destroy all copies of the original
message.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
