I am not finding where the dictionary limits are set at. I am in IMAIL, under services, then SMTP. There is nothing that talks about dictionary attacks. Can you elaborate a little bit? ----- Original Message ----- From: tnichols To: [email protected] Sent: Wednesday, June 27, 2007 2:21 PM Subject: RE: [IMail Forum] Blocking IP
Kathy 85.141.173.226 is the only IP from this snippet that needs blocking (the others might but there is not enough info to tell with others). Alternately you can turn on the SMTP dictionary attack settings. (on the SMTP service page) This will automatically block IP after a certain number of invalid users sent to. Imail also has dictionary attack settings to handle this sort of problem. Sending email to random users to harvest email addresses is referred to as a Dictionary attack (in the SMTP world. It can also mean brute force attempts to crack passwords in other settings). The dictionary attack setting work as follows: Soft Error Limits: Once an ip address reaches this number of errors, each successive SMTP command response is delayed by the value in "Error Delay Seconds" and each error increase the delay by that amount. Thus if "Error Delay Seconds" is 5 second once the soft error limit is reached the first error after that delays 5 sec then 10 then 15 and so on. Hard Error Limit: Once this number of errors for an IP address is reached the IP is automatically place in the SMTP Access Control list (i.e. blocked) for the amount of time in "Minutes To Deny Access" Minutes To Deny Access: How long blocked IPs remain in the Access Control list Error Delay Seconds: length of Delay per error after the "Soft Error Limits" is reached. If all the traffic is coming only from a single IP or a single network segment, just blocking the IP or the entire segment will work well (provided with the segment that you are not blocking legitimate IPs as well). However, if the attack is distributed it will come from multiple and often constantly changing IPs and segments. In this case the Dictionary attack setting are the preferred method (unless you have lots of time on your hands and enjoy sifting through log files to find IPs to block) The Dictionary attack settings are not without draw backs. You can block legitimate SMTP server this way. (someone who has an old email address or something like that) SMTP White Listing IPs can mitigate this problem. Short version: If the IPs of Spammers is a single IP or segment only: Block the IP or segment. If not, use dictionary attack settings. Soft Error Limits: 2 Hard Error Limit: 5 Minutes To Deny Access: 2 ß you may want to increase this Error Delay Seconds: 5 Are typical settings, but you may need to adjust for your situation To block an IP in Imail go to http://localhost/IAdmin/IMail/services/SMTPControlAccess.asp And add the IP to the list. Ted Nichols Ipswitch Messaging QA ------------------------------------------------------------------------------ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kathy Lees Sent: Wednesday, June 27, 2007 11:23 AM To: [email protected] Subject: [IMail Forum] Blocking IP We have someone trying to send email through our service. The logs are below. How do I block that IP address from getting access and with the logs below, which IP address do I block? 85.141.173.226 or 89.79.92.147 [85.141.173.226] RCPT TO: <[EMAIL PROTECTED]> 06:27 00:00 SMTPD(0aed11ee00d45d0f) [85.141.173.226] ERR ltccw.com invalid user <[EMAIL PROTECTED] 06:27 00:00 SMTPD(0aef162101265d10) [89.79.92.147] EHLO alusia.chello.pl 06:27 00:00 SMTPD(0aed087701505d0e) [85.141.173.226] RCPT TO: <[EMAIL PROTECTED]> 06:27 00:00 SMTPD(0aed087701505d0e) [85.141.173.226] ERR ltccw.com invalid user <[EMAIL PROTECTED] 06:27 00:00 SMTPD(0aed11ee00d45d0f) [85.141.173.226] RCPT TO: <[EMAIL PROTECTED]> 06:27 00:00 SMTPD(0aed11ee00d45d0f) [85.141.173.226] ERR ltccw.com invalid user <[EMAIL PROTECTED] 06:27 00:00 SMTPD(0aed087701505d0e) [85.141.173.226] RCPT TO: <[EMAIL PROTECTED]> 06:27 00:00 SMTPD(0aed087701505d0e) [85.141.173.226] ERR ltccw.com invalid user <[EMAIL PROTECTED] 06:27 00:00 SMTPD(0aed11ee00d45d0f) [85.141.173.226] RCPT TO: <[EMAIL PROTECTED]> 06:27 00:00 SMTPD(0aed11ee00d45d0f) [85.141.173.226] ERR ltccw.com invalid user <[EMAIL PROTECTED] 06:27 00:00 SMTPD(0aef162101265d10) [89.79.92.147] MAIL FROM:<[EMAIL PROTECTED]> 06:27 00:00 SMTPD(0aed11ee00d45d0f) [85.141.173.226] RCPT TO: <[EMAIL PROTECTED]> 06:27 00:00 SMTPD(0aed11ee00d45d0f) [85.141.173.226] ERR ltccw.com invalid user <[EMAIL PROTECTED] 06:27 00:00 SMTPD(0af211ef00d45d11) [64.7.202.222] connect 89.139.133.234 port 4085 06:27 00:00 SMTPD(0af211f000d45d12) [64.7.202.222] connect 85.141.173.226 port 2534 06:27 00:00 SMTPD(0aef162101265d10) [89.79.92.147] RCPT TO:<[EMAIL PROTECTED]> 06:27 00:00 SMTPD(0af211f000d45d12) [85.141.173.226] HELO fyorv 06:27 00:00 SMTPD(0af211f000d45d12) [85.141.173.226] MAIL FROM: <[EMAIL PROTECTED]> 06:27 00:00 SMTPD(0af3087801505d13) [64.7.202.222] connect 213.22.68.9 port 4542 06:27 00:00 SMTPD(0af211f000d45d12) [85.141.173.226] RCPT TO: <[EMAIL PROTECTED]> 06:27 00:00 SMTPD(0af211f000d45d12) [85.141.173.226] ERR ltccw.com invalid user <[EMAIL PROTECTED] 06:27 00:00 SMTPD(0af306da00f45d14) [64.7.202.222] connect 76.100.6.86 port 12919 06:27 00:00 SMTPD(0af3141100525d15) [64.7.202.222] connect 62.123.101.18 port 10190 06:27 00:00 SMTPD(0af3087801505d13) [213.22.68.9] EHLO Cosmos.netcabo.pt 06:27 00:00 SMTPD(0af306da00f45d14) [76.100.6.86] EHLO your-d137mzmhow.hsd1.md.comcast.net. 06:27 00:00 SMTPD(0aef162101265d10) [89.79.92.147] RCPT TO:<[EMAIL PROTECTED]>
