Feucht, Florian writes:
> > Perhaps he did, but "locked out CONNECTIONS from that IP for 10
> > minutes" reads differently to me. If Tom had meant what you said, then
> > I would have expected something like "locked out authentication attempts
> > from that username/IP pair for 10 minutes."
> This idea is great, but doesn't work for me, because all traffic passes
> a proxy firewall (including a esmtp daemon) - so the firewall is the one
> and only entity which makes a connection to the mailserver...
We have many clients behind firewalls. They too would suffer from a
simple block on an IP address.
> about the DoS attack: sure, it's possible to knock somebody out of his
> mailbox... but i think this is better than if somebody takes it over...
I think it's a close call. The difference between somebody deleting
your mail before you can read it and somebody blocking your access day
after day is small. Yes, if they can delete your mail they can also
read it, which may be a bigger problem, but being unable to read your
mail is bad enough.
As I said before, there are ways to greatly reduce the chances of
somebody getting at your mail. Give your mailbox a randomly-generated
name and use an alias to deliver to it. Then it doesn't matter how
weak your password is because they'll be trying [EMAIL PROTECTED] instead
of [EMAIL PROTECTED] This is something that you can do right now,
although it is a pain to administer. Maybe vpopmail and qmailadmin
should be extended so that there is an option to create random mailbox
names with aliases (to avoid name collisions the random mailbox names would
have to have to start with an underscore or something like that).
> if it happens that somebody starts DDoS this way, i can do the
> - look at my firewall log
> - find out his (or her's ;) ) IP Address
> - block the IP(-Pool)
> - contact the ISP, if it doesn't stop.
That was a workable solution three or four years ago. These days the
script kiddies use distributed DoS attacks using hundreds of computers
thay've managed to install backdoors on. You could spend every minute of
your life blocking IP addresses and still not be able to pick up your mail.
A tarpit is a two-edge sword...