Our mail servers are under dictionary attacks 24 hours
a day and 7 days a week. It never stops.
We run blackice which will block the IP of any mail
server that tried to send emails to 3 non-existent
email addresses on our server.
Last time I looked there were 28,000 email servers
that had tried to harvest emails from our server via
dictionary attacks.
There can't be much value in trying to profile email
addresses on our server if each partipant can only
make 3 attempts and then they are blocked. So I began
to wonder how the results of all of these attempts are
consolidated into something useful by the spammer?
One thing I noticed is that blackice reports TCP
probes on port 25. This isn't mail, this is software
connecting to port 25 to do who knows what? I've seen
blackice report 150 tcp probes on port 25 from 1 IP
address. Is there a chance that these TCP probes are
somehow used to coordinate these zombie machines
participating in the dictionary attacks? Why would we
be seeing these probes on port 25?
__________________________________
Do you Yahoo!?
The all-new My Yahoo! - Get yours free!
http://my.yahoo.com
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
