We run blackice which will block the IP of any mail server that tried to send emails to 3 non-existent email addresses on our server.
3's kinda low, ime
Last time I looked there were 28,000 email servers
probably not servers, just SMTP clients in infected machines.
that had tried to harvest emails from our server via dictionary attacks.
Most "attacks" are not a really attacks, ime, but compromised subscriber PCs
There can't be much value in trying to profile email addresses
My position that they aren't trying to discover your existing addresses for harvesting to a spammers database, but just to get ANY mail delivered to your domain.
on our server if each partipant can only make 3 attempts and then they are blocked. So I began to wonder how the results of all of these attempts are consolidated into something useful by the spammer?
probably not, and there's no way to know.
Why would we be seeing these probes on port 25?
a probe is probably just TCP connect attempt to port 25, so see if the IP is listening on port 25, without any SMTP commands. ie, a scanning of all IPs for port 25, not just your mail server's IP.
ime, the vast majority of these msgs to unknown recipients are from subscriber access networks harboring infected PCs.
Since I don't think any software on IMail can block subscriber networks by PTR domain, you're probably doing the second best to handle it.
greylisting (postgrey for postfix) also does an excellent job of handling infected PCs, since they don't retry.
IMail has an apparent weakness in that it is inefficient in rejecting unknown recipients, so that large volumes of such rejects really bog Imail down, effectively a DDoS.
What you are doing is what I call my _dict filter in IMGate advanced, but I harvest sending IPs only if they don't have PTR to protect against harvesting legit MTAs they send to unknown recipients.
Since postfix is very efficient in rejecting, I quit bothering with blocking at TCP/packet filter level, and let postfix handle it all. here's a report for today:
1 ACL [EMAIL PROTECTED]
1 SMTP Exceeded Hard Error Limit after HELO
4 ACL provider PTR and ccTLD sender domain
6 ACL provider PTR and ccTLD HELO
6 ETRN Mail theft attempt
6 SMTP Exceeded Hard Error Limit after ETRN
7 SMTP Exceeded Hard Error Limit after END-OF-MESSAGE
7 DNS no A/MX for @recipient.domain
12 ACL SAV: new verification in progress
45 SMTP Exceeded Hard Error Limit after RSET
57 ACL helo_hostnames
73 ACL to_local_recipients unknown recipient
74 SMTP Exceeded Hard Error Limit after CONNECT
118 DNS timeout for MTA PTR hostname (forged @sender.domain)
132 ACL from_senders_bw
176 SMTP Invalid HELO hostname
227 SMTP invalid [EMAIL PROTECTED]
343 ACL MAIL FROM: bigISP forged
349 RBL dnsbl.njabl.org
366 SMTP Exceeded Hard Error Limit after MAIL
474 RBL blackhole.securitysage.com
495 ACL unk PTR and ccTLD
508 SMTP unauthorized pipelining
571 SMTP unqualified HELO hostname
685 ACL SAV: undeliverable sender address
757 DNS nxdomain for MTA PTR hostname (forged @sender.domain)
808 ACL SAV: unverifiable sender address
876 ACL from_senders_imgfx
1268 RBL bl.spamcop.net
1641 ACL mta_clients_rbl
1776 RBL list.dsbl.org
2012 RBL block.rhs.mailpolice.com
2092 ACL No PTR for big ISP HELO hostname
2505 ACL MAIL FROM: ccTLD from unknown PTR
3607 RBL sbl.spamhaus.org
4155 ACL mailpolice @sender.domain
4553 RBL cbl.abuseat.org
4619 ACL unauthorized relay
8733 DNS no A/MX for @sender.domain
9019 SMTP HELO hostname is IP
9851 ACL greylist initial reject
16594 ACL too many SHEL rejects <<<<< 3.
63253 ACL mta_clients_bw
93161 SMTP Exceeded Hard Error Limit after DATA
113430 ACL mta_clients_dict <<<<< 1.
275622 SMTP Exceeded Hard Error Limit after RCPT
585483 ACL to_relay_recipients unknown recipient <<<<< 2.
======================
1210558 TOTAL<<< 1. is rejects of msgs by IP or Class C due to their earlier behavior:
a. no PTR, and
b1. x msgs to unknown recipients by single a IP b2. y IPs with no PTR in Class C sending x msgs to unknown recipients.
<<<< 2. is rejects of unknown recipients.
<<<< 3. is my SHEL (smtpd_hard_error_limit) filter that blocks
1. IPs _with_ PTR 2. x postfix discos for too many 5xx rejects per session
... where "disco" means I permit 2 or 3 5xx "hard" rejects in an SMTP session, and the next 5xx reject in the session causes postfix to drop the TCP connection (no RFC/SMTP niceties). If a PTR gets disco'd x times in a day, I blacklist the PTR permanently.
Len
_____________________________________________________________________ http://IMGate.MEIway.com : free anti-spam gateway, runs on 1000's of sites
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
