Nick and I are working on a log parser that identifies the IP's of dictionary attacks in ORF, imports them into a zone file, and then ORF uses that zone file to give a temporarily unavailable response which should protect from mistakes if made while effectively blocking a dictionary attack since they won't retry. Nick did the heavy lifting of the log parsing already which we will schedule to run regularly, and I'm going to write something to parse the list of IP's into a DNS zone, remove expired listings, and reload the zone.
There are only two small pieces that need to be figured out, one is how to best detect a dictionary attack, we're 90% there but I think we can lower the threshold for listing an IP by tracking other aspects besides just simply frequency. The other one is how to use the Windows 2000 Resource Kit tool to "reload" a DNS zone from within a VBS file, although I might have learned enough about scripting since I last looked at this to make this work. I suppose that one could even just update the HOSTS file as long as the list is short and you have the 'anything but' empty zone located on a real server...hey, I kind of like that idea as a quick fix, but the real zone is better for a distributed system.
BTW, the batch file deletion routine is working well, though it still has 2/3 of the 48 strings to go.
Matt
Sanford Whiteman wrote:
Matt,
Here is a very "Sandy" way to get what you want (no Badmail at all).
1) Use MetaEdit to change the Badmail directory to C:\Inetpub\Mailroot\Badmail\NUL and restart SMTPSVC.
2) The above step will trigger event ID 428 "Badmail is suspended" events in the event log for every SMTP session. This isn't such a big deal IMO, but you can just turn off these errors with this utility:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/exctrlst-o.asp
--Sandy
------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED]
SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/
Defuse Dictionary Attacks: Turn Exchange Addresses into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
