RE: [IMail Forum] Dictionary Attacks

[Travis Rabe]

Title: Dictionary Attacks

8.2   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Callahan Sent: Thursday, May 12, 2005 7:36 AM To: IMail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] Dictionary Attacks   In what version did this parameter start showing up?  I don't see it in 8.13. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Mike Odryna Sent: Thursday, April 28, 2005 9:10 AM To: IMail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] Dictionary Attacks You have to edit the registry and change the dword value from zero to whatever you feel comfortable with.   • SMTPD can now block connections after max invalid recipients reached. • SMTPD will close a connection after the maximum number of invalid recipients have been reached. This is not turned on by default. To enable this behavior create or edit the following registry key: Key: MaxInvalidRCPTsPerSession Type: DWORD Default: 0 Location: HEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPD32\Parameters If the this value is non-zero, it the server will close the connection if that number of invalid Recipients are received. Mike   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryant Nielson Sent: Thursday, April 28, 2005 9:03 AM To: IMail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] Dictionary Attacks   How/ Where does one check this feature.  I have looked all over for it and it has seemed to escape my limited mental capabilities.  Can anyone point me to the area that this is managed?   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Odryna Sent: Thursday, April 28, 2005 7:33 AM To: IMail_Forum@list.ipswitch.com Subject: [IMail Forum] Dictionary Attacks I have set the dictionary attack filter to a setting of 2.  I check the system log and see that it is actually working as advertised.  I have several questions: 1.      When I analyze the sys log and create an HTTP report, I see no mention of closed connections.  Can these be added to the HTTP report? 2.      Is the connection to the rejected IP address cached for any amount of time? 3.      Can you get a list by IP number of the number of times a connection was closed? 4.      Can the system be configured to add an IP to a real-time blacklist after so many closed connections? Mike Odryna