Am I missing something here, on in the case of Hotmail (with 10 MX records), wouldn't you see 960 connection attempts if E-mail is re-tried every 30 minutes for 2 days (which I believe is the default with IMail)?
yes, but you're looking from the POV of the attacker.
MS's edge router sees packet coming from an ip in the dyn.optonline.net block and could simply drop the packet silently. Thst's very cheap for MS to do. One SMTP connection attempt is one MS-dropped packet. nobody's counting 960 dropped TCP packets in the volumes of packets crossing MS routers.
They must be blocking blocks of IPs.
Unlikely -- causing 100K of traffic to block a single 2K E-mail is plain dumb.
Refusing TCP connections, esp with no response to first TCP incoming packet, "stealth", at edge routers is very efficient.
How is processing 100K of traffic on the routers more efficient than having the routers and the mailserver process 2K of traffic?
you're working at the wrong level. TCP connections are refused at the edge, and the MX ip and above all the SMTPD server app, never see single byte.
And it really maximally tarpits the attackers since their SMTP clients have to wait, usually, for TCP timeouts that the apps don't have control over. Maximally wasting the attackers resources while maximally conserving your own.
If the TCP packet is dropped, yes (and is a very interesting concept).
So interesting that this concept has been moved into practice by dozens of IMGate operators, has been for a couple of years.
Hotmail, though, it rejecting the connection outright rather than dropping it.
Well, MS has never demonstrated much system design sense, let alone innovation. :)
Here's a snippet of an IMGate report about sender_address_verification SAV, rejects:
1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>: 1 dyn-adsl-251.231.jet2.net[207.164.251.231]: <[EMAIL PROTECTED]>:
So my PTR regex earlier this thread would have blocked this attacker, since this PTR matches both "dyn" and "dsl".
Hey, Scott, does Junkmail have rule for detecting when sender@ is alphabet soup?
Len
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
