Another consideration in the "distributed dictionary attack" is that it may simply be viral behaviour from infectees who have multiple addressees in your domain in their address book or elsewhere on their hard drive.
There are several viruses that fake the left hand side of the mailfrom address, while using all the domain names that they scavenge, so a single IP could also create lots of incoming mail for you that is either NDR or a bounce from someone who received an NDR. I expect that this is a light but persistent load of traffic on the Internet today, and it won't go away soon. Andrew. -----Original Message----- From: Darin Cox [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 6:38 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Blocking Dictionary Attacks Yep...only problem is it won't help against distributed attacks that send one message per IP, but it sounds like your problem was not as distributed. Darin. ----- Original Message ----- From: "Don Schreiner" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 23, 2004 9:24 AM Subject: Re: [Declude.JunkMail] Blocking Dictionary Attacks Thanks for reply. One thing I found this morning on IMail list recent post was BlackIce settings whereas will auto-block IP for 3 failed non-existent user attempts within 30 seconds. The BlackIce documentation is poor on this subject and never figured it out myself over the years we have been using, but an IMail poster posted good instructions from a fellow who wrote the manual on Blackice apparently. Anyhoo... I set-up this morning and have been monitoring. It is working well so far and at least I am only seeing only 3 log entries now in Imail logs on non-existent users vs. hundreds per IP. I am still very concerned that I may end up blocking legitimate IP's via zombies and going to watch closely for awhile. The other trade off is BlackIce may be working harder now and seeing 4-6% on CPU, but think this was typical anyway. BlackIce also does a decent job on other things like infected Zip signatures and attached exe's etc. I feel comfortable with it as another security layer. For example on our SQL server, we use it to block the hundreds probing our port 1433 daily. We handle light email volume in comparison to others here and I am sure if someone out there floods us hard, the IMail box and BlackIce would not hold up. But on limited volume and budget this may be the ticket for us now. I know the gateway is the "best" way to go. Thanks for the feedback - most appreciated and always learning here. -Don ----- Original Message ----- From: "Darin Cox" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 23, 2004 8:59 AM Subject: Re: [Declude.JunkMail] Blocking Dictionary Attacks A gateway is the only solution I know of for distributed dictionary attacks. Since the attacks are coming from all over the place, there's no IP to block. All the gateway does is move the brunt of the attack off of the primary mail server to the gateway server. The gateway server should then become your primary MX record, replacing your existing server, and the "real" primary should be locked down to only receive SMTP traffic from your gateway. That way attackers who cache your MX records won't be able to continue to hit it. Darin. ----- Original Message ----- From: "Don Schreiner" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 23, 2004 5:20 AM Subject: [Declude.JunkMail] Blocking Dictionary Attacks Are there any new strategies for blocking dictionary attacks with Declude? Our log files are growing and mostly due to the following stacking up it seems a zillion times over... ERR MAIL.DOMAIN.NET invalid user We have used BlackIce for years and helps a lot for those that try X number SMTP fails in X seconds, but does not handle all these invalid user attempts. I searched archives and found good thread back in March this year "How do they do it?" and Scott replied a Declude solution may be possibly forthcoming. We only handle about 15k messages a day and small shop. Len's IMgate or another Postfix gateway solution I know would be best - but not affordable for us right now installing and managing a separate Linux box. It is difficult for me to keep up-to-date with daily posts, so wondering if any new strategies I might have missed. Thanks! -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ------------------------------ CompBiz.Net scanned for Virus' --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
