We run BlackIce here to but our lets the dictionary attacks attacks just happen. Did you alter something somewhere to make it stop them?
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cycle Rider Sent: Tuesday, November 16, 2004 3:11 PM To: [EMAIL PROTECTED] Subject: [IMail Forum] Dictionary attacks and TCP Probes? Our mail servers are under dictionary attacks 24 hours a day and 7 days a week. It never stops. We run blackice which will block the IP of any mail server that tried to send emails to 3 non-existent email addresses on our server. Last time I looked there were 28,000 email servers that had tried to harvest emails from our server via dictionary attacks. There can't be much value in trying to profile email addresses on our server if each partipant can only make 3 attempts and then they are blocked. So I began to wonder how the results of all of these attempts are consolidated into something useful by the spammer? One thing I noticed is that blackice reports TCP probes on port 25. This isn't mail, this is software connecting to port 25 to do who knows what? I've seen blackice report 150 tcp probes on port 25 from 1 IP address. Is there a chance that these TCP probes are somehow used to coordinate these zombie machines participating in the dictionary attacks? Why would we be seeing these probes on port 25? __________________________________ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
