Tuesday, August 27, 2002 you wrote:
LC> One one IMail site where I admin the IMGate, I find the habitual dictionary
LC> attacker (and I do think it is one SOB, not random attackers) seems to
LC> attempt about 25 RCPT TO's per SMTP session, and then hangs up.
I see lots of these as well. There is never a real message - just
25 or so RCTP TO's.
LC> So I figure 10, or even 5, "unknown users" is per SMTP session is
LC> sufficient to detect reliably that this ip is an attacker.
I have seen the attacker (and I do think it is only a few
attackers) adjust their number downward in apparent response to my
efforts to stop them. They seem to have lots of IP's so changing
IP's doesn't seem to bother them any.
LC> Can you imagine a valid list server sending your Imail box 5 or 10 bad
LC> users in one SMTP session? not very realistically
Agreed, I only look at invalid users on the primary mail server.
However, I use an entire day as opposed to a session which tends
to make for a few bad entries.
The other issue I've had is the same attacker coming in from the
secondary servers. This has proven especially difficult.
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
