> It would seem like stopping dictionary attacks would be a primary > function of anti-spam
It really should be done in the smtp dialogue. There should be a setting for maximum consecutive rcpt-to errors in a single session. Then you could set it and let the server count up to that number and then kill the session if it were exceeded. There are so many problems doing it outside the smtp dialogue. For instance if you are checking the log for rcpt-to errors then not only do you have to consider the IP but the session. Because I learned quite early that rcpt-to errors themselves are frequently made by clients. So if you have a low threshold and you have one client that has a setting wrong on his Outlook or some other program then he can easily hit the target over several sessions. Then if you do put his IP in the ACL then he no longer can connect and you get an angry customer. As Scott said there are apparently IMAIL acl's with a 100 IP maximum. I did not see this myself as I had thousands of IPs listed at one time. And that's a problem with the IP listing method anyway. You have situations where an attack is mounted from zombies on a perfectly legal and desirable network. So you don't really want to deny the entire network and/or you don't want to deny it forever. So this leads to maintenance issues with the ACL. The problem with using proxies which can interrupt the smtp session and just drop it if the rcpt-to error count is too high is that they do not have access to the user database. Postfix has this capability and then some. And there are several programs that can be used to export the imail database to a postfix gateway. So probably the best bet right now is a postfix gateway if you need immediate protection. As far as I know there is no single Imail server proxy solution that would do this. I thought about writing such a program myself but have just never had time. I find it very strange that the mail server programmers I've mentioned this to (not IMAIL either) find it so unnecessary. They seem to believe that what is reported by hundreds, maybe thousands, of admins as a growing and severe problem is just exaggeration. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
