Dictionary attack detection is something I really wish XMail could = natively do. ModusMail was a package we used prior to XMail. It could detect = and temporarily ban an IP address for a set period of time. It actually = helped a lot. You do not want to permanently ban such IP addresses, because = some dictionary attacks do get relayed through legit hosts/ISPs from hijacked email accounts from time to time. Permanently banning the IP addresses = will eventually cause your email server to block a lot of legit email. The feature in ModusMail let you set a duration for the block in additional = to a threshold for activating such a block. There were a lot of things about ModusMail I did not like, but that dictionary attack detection stuff was actually really cool.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] = On Behalf Of Phillip R. Shaw Sent: Monday, December 27, 2004 11:19 AM To: [email protected] Subject: [xmail] Spam blocking filter Problem: I am getting hit with a dictionary attack on my mail server over a =3D limited bandwidth connection. Volume is slowly increasing, going to over = =3D 4000 (maybe 6000 now) email messages a day. Over 90% of these are spam = =3D from the dictionary attack. I do use a few blacklists, and they catch about 90% of them. But I seem = =3D to be on the bleeding edge of this stuff because I get the first batch = =3D of junk sent out before they are added to the blacklists.=3D20 I finally got tired of all the junk mail (and wasted bandwidth) and =3D started looking for better ways to minimize it. I have a list of email = =3D addresses that are receiving email but the email addresses have never = =3D existed, anyone sending email to them is sending spam.=3D20 Current Solution: So I decided to write a filter. I am trying to block the sending ip =3D addresses and I am trying to block this as early as possible to cut down = =3D on my bandwidth usage. From what I can tell looking at the XMail source, = =3D if the sending IP address is listed in the spammers.tab file the =3D connection is dropped before any real traffic happens. (The check is =3D made at the time of connection before anything is sent or = received).=3D20 So my plan is to add any senders that get through to me in the =3D spammers.tab. When I receive an email I am looking up the email address = =3D that it was sent to. If that email address is in my list of bad email = =3D addresses I want to halt all email from that sending ip address by =3D adding that ip to the spammers.tab. In the filter.out.tab I have a filter that looks up the email address it = =3D was sent to. If the email address is in my list I am adding that ip =3D address to the spammers.tab and returning a 4 from the filter. This does seem to stop me from receiving the email. But it does appear = =3D that the spammers are able to send many emails on the same connection, = =3D without the server rechecking the spammers.tab. So what I am looking for is an idea on how to have the filter do =3D something that will cause all the checks to be redone. Ideally it would = =3D force the connection to be closed so when the spammer retries it would = =3D then be found in the spammers.tab and blocked. Or if this is not the best way to implement this functionality, what are = =3D some other ideas? It does seem to be working pretty good, if I could =3D just have the filter force the connection to be dropped it might be =3D close to perfect. Thanks Phillip - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
