Re[2]: [IMail Forum] (OT?) Using DNS blacklists with IIS
mac> Are you sure that it is a number of hacked accounts and not a hacked mac> machine? mac> Are you sure your mail server has not been turned into a spambot? I totally agree. If they would know the passwords, they would do the job much faster with SMTP. So I think there is some glith in your IIS setup or in Imail, which allows to get to the webmail wihtout authorization. These Spammers are not so stupid to do everythink by hand, if they could just start Outlook express to do the job. Which country will be next to be excluded? China? Russia? US? If you really want to do it, this should be a job for a firewall. Matti mac> If they know the passwords they learned them one of three ways, with a mac> sniffer, which means something on your network is compromised, directly mac> from the server, which means the server is compromised or if you keep a mac> lists of passwords locally that access to the list is compromised. mac> You need to find the hole and change all passwords, if it is really a mac> password leak. mac> Roger mac> David E. Smith wrote: >> Lately, I've had a rash of attackers from Nigeria, who have acquired >> (through whatever means) legitimate logins and passwords for my Imail users. >> They log in, send out a couple thousand emails, and log out. There are no >> failed logins, so even an over-zealous account lockout policy wouldn't work >> in this instance. >> >> They only send to five or ten recipients at a time, so they avoid most of >> the rate-limiting features. But through the magic of cut-and-paste, they're >> able to get a few thousand messages an hour sent out. >> >> All the attackers come from IP space listed on ng.blackholes.us, and I'm >> willing to annoy any legitimate users of mine that might be vacationing in >> Lagos. >> >> Anyone know of a way to apply DNS blacklists to a Web site in IIS, >> comparable to mod_dnsbl for Apache? >> >> David Smith >> MVN.net >> >> >> To Unsubscribe: http://imailserver.com/support/discussion_list/ >> List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ >> Knowledge Base/FAQ: http://imailserver.com/support/kb.html >> >> mac> To Unsubscribe: http://imailserver.com/support/discussion_list/ mac> List Archive: mac> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ mac> Knowledge Base/FAQ: http://imailserver.com/support/kb.html -- Matti Haack - Hit Haack IT Service Gmbh Poltlbauer Weg 4, D-94036 Passau +49 851 50477-22 Fax: +49 851 50477-29 http://www.haack-it.de To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re[2]: [IMail Forum] (OT?) Using DNS blacklists with IIS
> Take a look at eWall as it really is a nice little program that does > more than just geo sniping. $99 and it integrates with Message Sniffer > very nicely. Irrelevant... this product obviously doesn't fill the need, quite well articulated by the OP, for HTTP-based, geolocation-based monitoring. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re[2]: [IMail Forum] (OT?) Using DNS blacklists with IIS
> What is your connection between IIS and IMail? Are you using a version of > IMail that uses IIS (ie:2006 or later)? Pretty clear that he is, no? Otherwise there would be no reason for the post, since he would have more ownership over the code that generates the mail. > We have been using Declude Hijack for many years with IMail to > detect and stop these kinds of attacks. It has the weakness that it > is IP based, so (a) if a well-distributed attack were to occur, it > would not detect it; and (b) if a lot of legit mail comes from an > individual server, you have to set the detection limits very high > for the server's IP. But on the whole, it has been extremely > effective for us. Nothing against Hijack, which I have used as well, but it is not the right tool for stopping hijacking that is initiated over HTTP. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re[2]: [IMail Forum] (OT?) Using DNS blacklists with IIS
> I can't readily think of a more appropriate place to perform these > checks, except maybe by modifying the Imail Web interface itself to > use a geolocation database, but I'm not sure if that's even > possible. You're talking about a task typically done by an ISAPI filter on the box or by a reverse proxy -- something host header aware. Fastream's IQRP, which we swear by here, can block by geo. Tometa's GeoSniper is an ISAPI geo filter which I haven't used but which could be perfect for you. ISAPI-based IPSes like ThreatSentry, DotDefender, WebKnight can be bound only to a specific virtual server in IIS and detect trends over time, such as too many hits on the mail submission form in a short period. Don't think any of these used geolocation outright the last time I used them. WhosOn, a user tracking app that we also use, can tail your logs every 15 seconds and also find aberrations like this, though it is technically out-of-band. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html