> Blocking this and the thousands other IP’s is a silly job. This is a > answer of a programmer with no experience in a real company.
Nonsense. Blocking by IP is standard practice. One preferably blocks at the edge router or firewall; if not possible, block at the stack (OS) level on the host. Blocking at the application level and expecting an application to perform its own DoS backoff once a socket has been opened and handed up the chain is a losing battle. And waiting to see what POP3 *username* is being attempted is a completely ignorant anti-DoS tactic. The fact is that this harvesting method, when used against applications with a low max concurrent connections, is a DoS attack. Even on very modern hardware, connection starvation is completely possible; I have seen it in the wild quite recently as a result of the same sort of traffic. Yes, the application-level measures like 'maximum failed logins' will work under mild load. If you only have a mild load, you don't have a DoS condition, however, so what's your primary worry? You might have a lone abuser trying to get into one *specific* account for targeted purposes (espionage or social mischief-making), and the application-level lockout is a worthy tactic against that scenario... because, by definition, such an attack is not happening in bulk. (And locking out a *specifically targeted* user because someone tried to compromise their account can give them nice dose of reality.) You can quite reasonably complain when a vendor drops support for any feature that's mildly useful. But to lament the loss of the weakest possible DoS protection -- that is, well within the same application that is being DoSed -- as if it were your only choice is technically foolish. Get an IDS/IPS and script it to hit your router, or even to update your Windows OS *stack-level* (IP Security) settings if you don't have access to your router or firewall. It's not like failed POP3 logins are difficult to detect; they're plain-text exchanges, a simple signature. If you want your app to go so deep as to consult its user database before rejecting an abusive connection, causing collateral damage even when it works at all, it's *you* who's missing the real-world experience of a DoS. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
