----- Original Message ----- From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 21, 2004 09:50 Subject: Re: [IMail Forum] Dictionary Attacks and MX Records
> > >Having been subjected to weeks of non-stop dictionary attacks, I've now been > >working on something of a solution by scanning the IMail log file for > >rejections and attempting to determine which IPs are nailing us. Part of > >this is doing some DNS lookups, if the overhead isn't too terrible. I know > >right off the bat that I won't accept inbound connections from any server > >without a reverse entry, but was wondering whether it is safe to block hosts > >that do not have MX records? > > Just so you are aware, there are still some legitimate mailservers out > there with no reverse DNS entry. A lot less than a year or so ago, but > they are there. I was afraid of that. > > As for MX records, are you looking at the HELO, MAIL FROM, or something > else? HELO may have an A record instead of an MX record, so you would need > to check both. MAIL FROM is the same (since it is technically OK to have > an A record in lieu of an MX record). Actually, at the moment, considering the sheer number of IPs nailing us, I'm parsing strictly the ERR rejection records in the log file for date, time and IP address. I'm pondering using moving averages to try to determine who is hitting us. The problem with that scheme is that many of the addresses will only do half a dozen hits at a shot, while others will blast us hundreds of times a day. A lot of stuff may slip under the radar. I'm pondering a scheme of splicing the IMail log every five minutes, reading that small chunk to try to catch attacks as they occur. I goofed up a test script on Friday which ran through all the rejections for four days prior and came up with a list of 67000 addresses that had nailed us and did not have reverse entries or MX records. I tossed these in the SMTPD32.acc file and did have some impact, though I can see I'm going to have to grow that list to at least three or four times that to really see an impact. We're looking at putting in a faster router using Linux or something like that which can allow us to block these connections on something other than the mailserver. I don't want to be a heavy handed Road Runner-style ISP, but at the same time we're getting to the point that when we're really getting clobbered the SMTP server becomes nonresponsive. Heavy-handedness may be the only choice I have at the end of the day. I will build some sort of whitelist to which I will gladly add servers caught in my net, but I'm going to have to have a net or if this problem grows, our mail server will collapse. If that means that a few legit servers without MXs get caught, then (and I hate to hear myself say it), that's tough. Until ISPs start taking responsibility for the shit flying off their customers' machines, there isn't too much of a choice. > > >[EMAIL PROTECTED] > > FYI. :) Whoops. -- A. Clausen [EMAIL PROTECTED] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
