I've blocked some of the high volume Spammers IP using BlackIce and I am seeing their blocked email showing up as TCP Probes. It's like anything other than normal email or including normal email if the IP is blocked.
One other thing I've noted is that after blocking some of them in the main BlackIce screen I am seeing the intruder as a null IP 0.0.0.0, yet if I double click it and go to the intruders tab it will show a good IP. That is weird! Ted -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cycle Rider Sent: Tuesday, November 16, 2004 3:11 PM To: [EMAIL PROTECTED] Subject: [IMail Forum] Dictionary attacks and TCP Probes? Our mail servers are under dictionary attacks 24 hours a day and 7 days a week. It never stops. We run blackice which will block the IP of any mail server that tried to send emails to 3 non-existent email addresses on our server. Last time I looked there were 28,000 email servers that had tried to harvest emails from our server via dictionary attacks. There can't be much value in trying to profile email addresses on our server if each partipant can only make 3 attempts and then they are blocked. So I began to wonder how the results of all of these attempts are consolidated into something useful by the spammer? One thing I noticed is that blackice reports TCP probes on port 25. This isn't mail, this is software connecting to port 25 to do who knows what? I've seen blackice report 150 tcp probes on port 25 from 1 IP address. Is there a chance that these TCP probes are somehow used to coordinate these zombie machines participating in the dictionary attacks? Why would we be seeing these probes on port 25? __________________________________ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
