Scott, Your description is what I am seeing here. Spent about 2-3 hours last night blocking addresses but they kept changing the address. Block 50-60 addresses none from the same subnett or even close.
I guess I have to wait for your new program. Will that be new feature in Declude Hijack? Heimir ---------- Original Message ---------------------------------- From: "R. Scott Perry" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Thu, 13 Jun 2002 09:38:32 -0400 > >>We are under a bruteforce dictionary attack. Has been going on >>for the last 24 hours. > >That's getting more and more common these days. > >>They are pretty good since they change ip address for every >>connection and only try 25 email addresses. > >That, too, is getting more common. We call them "hacker spammers" -- >spammers that break into lots of computers for a distributed dictionary >attack. Some have so many compromised computers that they don't both with >the dictionary attack, they just spew their spam to all the addresses, and >don't care that 95% or so isn't delivered. > >>We are not using SMTP Authentication yet but it is the plans for >>the next 2 weeks or so. >> >>Any idea on how to stop this. > >It is very, very difficult to stop if it is distributed like that. We are >working on a program that is designed to detect dictionary attacks (and >other types of problems, such as people trying to hack a password via >POP3). But in a case like yours, it is very difficult, because they are >coming from different IPs, and it is possible on some systems to have 25 >invalid E-mail addresses in a delivery (from some of the larger mailing lists). > >You can start blocking all the IPs, but that is very tedious with a >distributed attack like this. > > -Scott >--- >Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for >IMail. http://www.declude.com > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > >Please visit http://www.ipswitch.com/support/mailing-lists.html >to be removed from this list. > >An Archive of this list is available at: >http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > >Please visit the Knowledge Base for answers to frequently asked >questions: http://www.ipswitch.com/support/IMail/ > ________________________________________________________________ Sent via the WebMail system at i360.net Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
