From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ncl Admin
Sent: Friday, July 29, 2005 4:29
PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail]
Declude Woes
Or you could just block the IP's in Imail from which the attacks are
coming...or in your router.
At 05:18 PM 7/29/2005 -0400, you wrote:
>>>>
Easy way to find out if it is dictionary
attacks: count the number of times "ERR * invalid user" appears in a
single day's log. I wouldn't be surprised to see 100,000 of them if it is a
dictionary attack. In the search string, you can replace the "*" with
the OHN of your mail server if you want, but I search with the wildcard to make
sure in case it uses the hostnames of other IP'ed hosts on my system. If you
find that there aren't a HUUUUGE number of these in the logs, then Matt is
right and IMGate might not solve your problem. But if there ARE a HUUUUGE
number of these, a gateway is the answer.
Dan Horne
----------
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Friday, July 29, 2005 2:12
PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail]
Declude Woes
Michael,
Just to clarify one issue here that is important to understand in this context.
If Will's server has no nobody aliases, and all of the E-mail that it accepts
is hosted on that same box, then he shouldn't be seeing any issues from
"dictionary attacks". It's when you meet either one of those
conditions that you are at severe risk for being brought down by one of them.
IMO, installing IMgate (Postfix config) or some other pre-scanning gateway does
have other advantages as well, but given the information that Will has provided,
I don't believe that dictionary attacks aren't an issue here, and he does has
issues that a gateway wouldn't fix and they should be looked at first before
throwing in another box as that other box might not be necessary or fix the
overall problem.
Matt
Michael Jaworski wrote:
@font-face { font-family: Tahoma; } @font-face { font-family: Verdana;
} @page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in 1.25in; }
P.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; COLOR: black; FONT-FAMILY:
"Times New Roman" } LI.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in
0pt; COLOR: black; FONT-FAMILY: "Times New Roman" } DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; COLOR: black; FONT-FAMILY: "Times
New Roman" } A:link { COLOR: blue; TEXT-DECORATION: underline }
SPAN.MsoHyperlink { COLOR: blue; TEXT-DECORATION: underline } A:visited {
COLOR: blue; TEXT-DECORATION: underline } SPAN.MsoHyperlinkFollowed { COLOR:
blue; TEXT-DECORATION: underline } P.MsoAutoSig { FONT-SIZE: 12pt; MARGIN: 0in
0in 0pt; COLOR: black; FONT-FAMILY: "Times New Roman" } LI.MsoAutoSig
{ FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; COLOR: black; FONT-FAMILY: "Times
New Roman" } DIV.MsoAutoSig { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; COLOR:
black; FONT-FAMILY: "Times New Roman" } PRE { FONT-SIZE: 10pt;
MARGIN: 0in 0in 0pt; COLOR: black; FONT-FAMILY: "Courier New" }
SPAN.emailstyle18 { COLOR: navy; FONT-FAMILY: Verdana } SPAN.emailstyle21 {
COLOR: navy; FONT-FAMILY: Arial } SPAN.emailstyle22 { COLOR: navy; FONT-FAMILY:
Arial } SPAN.emailstyle23 { COLOR: navy; FONT-FAMILY: Arial } SPAN.EmailStyle24
{ COLOR: navy; FONT-FAMILY: Arial } DIV.Section1 { page: Section1 }
I can second the need for a gateway defense when
under attack. We run a Windows shop and were being crushed under multiple
dictionary attacks for two domains on a daily basis. I took the daunting task
to build our first Linux box running Postfix. The first box was a tough start
though I had a employee who had Linux experience. We are running Postfix on
OpenBSD 3.6 with MySql for dynamic update ability. (I am still working on
grabbing additions, updates and deletions from SmarterMail admins so we can
throw all our domains in Postfix and update in realtime) After a few weeks we
added a second box in the event the first box went down. The second box was a
breeze since it was basically a duplication. Both mx records now point at the
two boxes. The hardware was old 500Mhz and 1ghz cpu with 512mbs of ram each.
The 1ghz is primary and takes 75% of the load without much effort with plenty of
free memory. The whole setup allows the main server running SmarterMail/Declude
Pro/Sniffer/F-Prot to respond quickly to POP, web mail and smtp traffic
requests.
The Linus approach only should cost you some time and old equipment as the
software is free. Our experience over the last two years showed it was worth
climbing the short Linux learning cliff. And it is true ... they run forever
One important note not related to using a gateway: We never bounce spam e-mail
back to the "sender". The backscatter traffic can kill you and skew
your reports.
Michael Jaworski
Puget Sound Network, Inc.
(206) 217-0400
(800) 599-9485
----------
From:
<mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED]
[<mailto:[EMAIL PROTECTED]>mailto:[EMAIL PROTECTED]
On Behalf Of Will
Sent: Friday, July 29, 2005 9:38
AM
To: <mailto:Declude.JunkMail@declude.com>Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail]
Declude Woes
Well, Im back at it today.
Yesterday I disabled Declude early in the day and started working mail back
into the spool directory from the overflow directory. This was a long process,
but by the end of the day I had gone from a backlog of 150,000 files in the
spool and 134,000 in the overflow directory to about 1500 (that includes logs).
During this time I needed to stop and restart the queue manger a number of
time. I did this to allow me to delete all the .gse files, which I figured
would save me time discarding them. However, by the time I got down to 1500
files and started to watch the spool it started to increase in size again;
climbing to 4000 within a matter of minutes. I stopped and restarted the
queuemanager and these files were then processed. I verified they were actually
getting processed by sending test messages to myself. At this point I was
pretty upset and confused. I looked through the sys logs and found nothing out
of the ordinary, queuemanger would simply stop. I set all the queuemanager
setting back to default and tried again without luck. I had to stop and restart
it every few minutes to get it to process a few thousand messages. Finally, I
purchased an Imail service agreement and upgraded to 8.21. Magically, it
worked. The queumanger started to deliver messages as soon as they arrived. My
thought immediately went into conspiracy mode. It seems like this has happened
before where we had a perfectly workable solution and something completely
confusing happened and an upgrade magically fixes it!
Anyway& I re-enabled declude and let it run overnight. Now I have a backlog
again. There are mostly D*.SMD files in the spool right now with all their
delivery Q* files in the overflow directory (*shakes fist at overflow
directory*). Time to start the process again today. Im disabling declude to get
those messages out and one thing to note, after I have stopped the smtp server
and added smtpd.exe backing into the delivery application, I still have about
20+ declude.exe processes. I have stopped and started it again as well as the
queuemanager and they are still there. In fact they are creating more
declude.exe processes as I watch. Im trying to kill them, but they just keep
coming back& having to restart so I can start processing mail.
We are an ISP and here are some random examples of some of our Imail daily
reports to give you an idea of what kind of traffic we see:
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
<http://www.mailpure.com/software/>http://www.mailpure.com/software/
=====================================================
<<<<
[This E-mail scanned for viruses by F-Prot]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
