Re: [Declude.JunkMail] Interesting SMTP connection patterns

[Matt]

I would suggest not using Blackice to deal with spam issues, and using an anti-spam gateway that has greylisting, tarpiting, abuse detection and prevention, and address validation.  Here's a list of products that have those capabilities that I know of: Alligate Gateway MS SMTP/Vamsoft ORF IMgate (or other open source Linux MTA's with anti-spam connection handling) I use Alligate Gateway and I swear by it.  It blocks on average about 92% to 94% of connections to my gateways and the only FP's are caused by seriously non-compliant senders (not tolerating tarpitting of less than 1 minute if triggered and not spooling/retrying if greylisting is triggered).  I'm not aware of Declude Interceptor yet supporting all of the capabilities that I outlined, but I would imagine that they are at least looking into these things. IMO, it is dangerous to block IP's for more than a very short time due to bad address attempts because there is plenty of this that happens from legitimate servers and from even one's own clients.  The only time to place a time based block for an IP should be when a mail bombing attempt is detected, and these are very rare.  Spammers doing brute force spam attacks (aka dictionary attacks) almost always do this in a distributed manner and most don't hit a server more than once per day for a 1 minute or less period with a particular IP.  So blocking those IP's does little.  My gateway handles up to 1.1 million connections a day, and I average around 700 concurrent connections, and the software averages maybe 5% CPU utilization on my box.  My box also doles out  about 2/3 of a year worth of tarpit  time every day.  This hampers spammers so much that many of them now disconnect after a very short period of being tarpitted.  I have only had to whitelist one host from these protections in around 6 months of operation, so it takes care of itself. Matt Jay Sudowski - Handy Networks LLC wrote: Well, it didn't run for us. We tried and it caused random BSOD and ISS wouldn't provide any support. -Jay -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Beckstrom Sent: Thursday, October 12, 2006 7:38 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Blackice runs perfect on Windows 2003 server. I posted the install instructions on this list a couple of weeks ago. Craig -- I believe some email servers will open a secondary connection as part of their spam checking. In that case, you might see 2 connections which would be legitimate. What setting did you change in blackice to drop those IPs with multiple connections? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Thursday, October 12, 2006 7:59 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Of course, BlackIce does not support Windows 2003. -Jay -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Craig Edmonds Sent: Thursday, October 12, 2006 3:51 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Importance: High That's why I now use Blackice Server from IIS. It can detect multiple smtp connections and close ips down automatically. Its pretty slick. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Beckstrom Sent: Thursday, October 12, 2006 11:24 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Interesting SMTP connection patterns Yesterday I took a snapshot of the SMTP connections active on our server. I then did a reverse IP to find out where they were from. Below are the results. You can see someone from Thailand had 5 SMTP connections active and Spain had 4. You can also see that only 3 of the IPS connected were for potentially legitimate email. We don't get any legitimate email from other Countries so everything not from the USA would be spam. Any idea why a spammer would open more than one SMTP connection? 202.139.211.241 5 Thailand 88.0.230.26 4 Spain 71.55.71.138 2 USA 87.219.166.9 2 Spain 213.85.39.108 1 Russian Federation 84.77.107.183 1 Spain 83.131.106.234 1 Croatia 84.61.135.61 1 Germany 83.84.74.219 1 Netherlands 90.9.36.180 1 France 83.167.108.79 1 Russian Federation 67.172.162.33 1 USA 84.54.248.96 1 Russian Federation 86.75.242.215 1 France 201.208.171.250 1 Venezuela 88.204.240.177 1 Kazakstan 82.158.0.237 1 Spain 69.30.246.125 1 USA 200.168.86.224 1 Brazil 83.167.108.44 1 Russian Federation 75.41.79.203 1 USA 200.206.252.123 1 Brazil 84.60.109.148 1 Germany --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.