Blocking IPs without sending a 5xx response is a last resort
hmm, "last" can be "second". :))
Blocking IP's at TCP level, rather than block IPs and PTR hostnames at SMTP level is a very effective, very efficient way of blocking. Highly recommended.
Am I missing something here, on in the case of Hotmail (with 10 MX records), wouldn't you see 960 connection attempts if E-mail is re-tried every 30 minutes for 2 days (which I believe is the default with IMail)?
They must be blocking blocks of IPs.
Unlikely -- causing 100K of traffic to block a single 2K E-mail is plain dumb.
Refusing TCP connections, esp with no response to first TCP incoming packet, "stealth", at edge routers is very efficient.
How is processing 100K of traffic on the routers more efficient than having the routers and the mailserver process 2K of traffic?
And it really maximally tarpits the attackers since their SMTP clients have to wait, usually, for TCP timeouts that the apps don't have control over. Maximally wasting the attackers resources while maximally conserving your own.
If the TCP packet is dropped, yes (and is a very interesting concept). Hotmail, though, it rejecting the connection outright rather than dropping it.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches both viruses and vulnerabilities in E-mail, with no annual licensing fees.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
