There can't be much value in trying to profile email addresses on our server if each partipant can only make 3 attempts and then they are blocked. So I began to wonder how the results of all of these attempts are consolidated into something useful by the spammer?
If you've blocked 28,000 IPs, that's 84,000 E-mail addresses that they can have information on.
A lot depends on what BlackIce does -- if it drops the SMTP connection, those 28,000 IPs might be continually retrying.
One thing I noticed is that blackice reports TCP probes on port 25. This isn't mail, this is software connecting to port 25 to do who knows what?
It could be anything -- you would need to find out what BlackIce defines "TCP probes" as being. It would suggest an immediate disconnect (meaning that they make no attempt to send E-mail or do anything else, except verify that you are running a mailserver). That could be used by spammers trying to get a list of all possible mailservers; they can then in Phase 2 connect to all the mailservers and test to see if they are open relays, and take the results of that to Phase 3 (sending out spam using the open relays). Just a guess.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
---- This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
