Anyone see anything like this?
I'm seeing a little of it. Most of my invalid address attempts are just
nonsense jumbled letters like [EMAIL PROTECTED] which I wouldn't count
as a dictionary attack and goes on all the time, usually only once from a
particular IP in hours. We also get allot of invalid attempts to email
addresses that are portions of valid email addresses like
[EMAIL PROTECTED] that I would still not consider a dictionary
attempt but rather infected systems using a list of supposedly valid email
addresses as we see them over and over.
Today I have had one IP attempt many different addresses like
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], etc. that does
appear to be trying to find a valid address but our protection provided by
ASSP running in front of Imail stops these cold. That IP has reached the
second threshold blocking and did in fact hit a valid email address but that
email was rejected. Emails to invalid addresses adds penalty points to the
sending IP. Once those penalty points reach the first threshold(two emails
in my configuration) within two hours, all emails from that IP are blocked
for a few hours. If the IP continues sending within that time period, and
the penalty points continue to climb, they can hit the higher second
threshold(eight emails to invalid users in two hours) that puts them on a
block list that I have configured for a 90 day retention. I can even
configure particular email addresses on my domain that will automatically
add a sending IP to the 1st threshold block list(spamaddresses), or to the
2nd threshold block list(spamtrapaddresses). I occasionally scan my logs
for invalid user attempts and using a spreadsheet, look for patterns that
would be useful as a spam address or spam trap address.
Good Luck,
Doug Traylor
----- Original Message -----
From: "David Dodell" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Saturday, July 01, 2006 11:23 AM
Subject: [IMail Forum] "SLOW" dictionary attacks
For days now, I have been watching our Imail server 9.04 being hit be
dozens of outside IP's using a dictionary attack style, which Imail can't
block.
Instead of sending multiple email addresses per session ... it tries ONE
email address, and when it fails, doesn't connect again for another 2 or
3 minutes, then tries another single address, which fails and keeps
repeating.
Since Imail sees this as a single message that fails, it doesn't detect
it as a dictionary attack.
But this is happening from a few dozen IP's that I keep blocking manually
and more pop up ... so it is taking a lot of manual work/ reading logs etc
...
Anyone see anything like this?
David
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
