----- Original Message ----- From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 21, 2004 10:34 Subject: Re: [IMail Forum] Dictionary Attacks and MX Records
> > >The other possibility is to do use a regular expression algorithm to try to > >sniff out hosts that look dynamic, though I'm sure there is some legitimate > >hosts will get nailed. > > Are you talking about reverse DNS or HELO? Even the so-called experts just > can't get it right with reverse DNS -- many legitimate mailserver IPs have > a reverse DNS entry that looks a lot like a dynamic IP (often the exact > same format as a dynamic IP from the same Internet provider). HELO, > though, is a different story -- occasionally a legitimate mailserver will > HELO as something that looks dynamic, but that is quite rare (and easily > fixable by the mailserver admin, unlike the reverse DNS that is sometimes > fixable but sometimes is not). I'm talking about reverse DNS. I don't even want these guys getting to the point where they can open a connection. For now I want to dump offenders in the SMTPD32.acc file (and, if I dare to restart my MS-SMTP backup mail server, into its ACL as well). In a month or two, we may be getting a new gateway router, and I'll be looking at router software that can allow me to dynamically import the IPs to it. I'm beginning to see that blocking via DNS information is a dangerous business that could lead to a lot of false positives, and am considering abandoning it. That leads back to the threshold game, however. Trying to figure out what level should be considered an attack, and how long that an IP that you have decided is attacking you should be blocked is a bit of a question. -- A. Clausen [EMAIL PROTECTED] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
