On 18 May 2004 at 12:45, Matt wrote:
Very slick Matt great idea!
-Nick Hayer
> One other thing. Unless you have a ton of traffic (~100,000/day) or
> have people doing BCC blasts from your server to hundreds of
> addresses, there is a setting in IMail 8.x that can slow down the
> dictionary attack so that it doesn't threaten your server's ability to
> process E-mail.
>
> On the SMTP > Advanced tab, there is a setting for "Delay between
> recipients", typically 0 by default. This is a time in milliseconds
> and it can be increased without obvious effect for normal operation to
> a value of 500 or even 1000. If your server can handle about 3
> messages a second over a prolonged period outside of Declude, you
> might set the value at 500 (allowing for a little extra processing
> power to handle legitimate E-mail). This would mean that any local or
> external sender that tried to To, CC or BCC a message to say 100
> addresses on your server, would take 50 seconds just to have your
> server respond to all of the RCPT TO commands. I had mine set to 1000
> for the longest time without any reports of problems except for one
> person that mailed out messages to just under 100 addresses (which
> would take almost 2 minutes for his E-mail program to report that the
> message was delivered). I dropped it down a little while ago, but I'm
> going to pump it back up to 500 again.
>
> Matt
>
>
> Matt wrote:
>
> > Keith,
> >
> > I've been seeing a sharp uptick in this sort of activity as well.
> > Typically they include about 200 generic E-mail addresses, but some
> > are now throwing thousands of addresses for a fuller attack. If the
> > E-mail is going to a locally hosted domain, the best defense is to
> > remove the nobody alias as this will stop the attempts dead at the
> > envelope and save lots of processing power. If this is gatewayed
> > E-mail, a solution becomes much more involved as you will need to
> > install a different product that can do address verification for
> > non-IMail addresses and reject at the envelope (and maintain a
> > database of such addresses).
> >
> > Regarding blocking the IP's, while I'm sure you could parse them out
> > of your logs, they tend to attack from zombies, and typically use
> > many at the same time. Each attack seems to use different sets of
> > zombies as well. My feeling is to just simply let it go on because
> > I don't want to waste too much time blocking IP's at the router or
> > SMTP envelope that change constantly.
> >
> > Matt
> >
> >
> >
> > Keith Purtell wrote:
> >
> >> I'm having a new experience with our mail server. Suddenly I'm
> >> getting numerous dictionary attacks from different IP addresses. At
> >> first I blocked the IP addresses in IMail SMTP Security, but after
> >> adding a dozen I got tired. I'd rather detect the pattern and
> >> automatically stop it that way. Any tips?
> >>
> >> Keith Purtell, Web/Network Administrator
> >> VantageMed Corporation (Kansas City office)
> >> Voice: (816) 801-5200
> >> Fax: (816) 880-4776
> >> (800) 525-1101
> >>
> >> CONFIDENTIALITY NOTICE: This email message, including any
> >> attachments, is
> >> for the sole use of the intended recipient(s) and may contain
> >> confidential and privileged information. Any unauthorized review,
> >> use, disclosure or distribution is prohibited. If you are not the
> >> intended recipient, please contact the sender by reply email and
> >> destroy all copies of the original message.
> >>
> >>
> >> ---
> >> [This E-mail was scanned for viruses by Declude Virus
> >> (http://www.declude.com)]
> >>
> >> ---
> >> This E-mail came from the Declude.JunkMail mailing list. To
> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >> type "unsubscribe Declude.JunkMail". The archives can be found at
> >> http://www.mail-archive.com.
> >>
> >>
> >>
> >>
> >
>
> --
> =====================================================
> MailPure custom filters for Declude JunkMail Pro.
> http://www.mailpure.com/software/
> =====================================================
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
