The programs that perform this kind of attack often change IPs within a
short time, so blocking a group of addresses is the only way to gain some
protection. Once you have the IP and the owner, contact them and tell them
of your trouble. They should respond but cutting off the users account. I
remember the name of one, 'Geolist', about 2 years ago (I think it gave the
name somewhere in its connection attempt, check the IMail log). The program
also changed the senders email address pretty quickly, too, so 'Kill list'
was not effective (unless they use the same domain all the time and I'm
pretty sure that changed, too).
There are some other things that can slow them down. IMail Registry hacks to
limit number of RCPT To (check manual/kb) and a delay between them (again,
in manual/kb) are 2 possibilities. Another member said to use a nobody alias
(so all addresses appear valid), but my impression of that is they will
think the addresses are valid and try them again in the future (I suppose if
they are selling the harvested addresses, then they are selling garbage
addresses). None of these stop the program from connecting (except the IP
block) so they are less than 100% effective and will still fill up log space
and use resources.
The difficulty in creating an effective block, is that having an invalid
RCPT TO:, is actually pretty normal, so then one has to have some number of
them before applying the defense (you will make those decisions when you use
the above registry hacks). How many, before setting the defense? Too many
and the defense is not effective, too few and you affect valid email. And
with a smart attack program, it will use fewer addresses, reconnect and try
some more.
Daniel Donnelly
________________________________________________________
----- Original Message -----
From: "Florida.com" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, February 13, 2001 10:09 PM
Subject: RE: [IMail Forum] Stopping Dictionary Attacks
> > Find his IP address and block that IP range from sending mail. You
should
> > be able to find the IP address he/she is sending the mail from.
>
>
>
> Unfortunately we suffer from same problem. We tried the above but to no
> avail. They will dial in from another ip that won't be blocked.
>
> We finally blocked out all of 63.... which worked. It blocked out all of
> UUnet But how long could we do that for?
>
> Perhaps Imail 7 should have a feature that will block this out. Declude
says
> they will have something as well.
>
>
>
>
>
>
>
>
> > ----- Original Message -----
> > From: "Tom Krowas" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, February 13, 2001 3:08 PM
> > Subject: [IMail Forum] Stopping Dictionary Attacks
> >
> >
> > > I suffering from a huge Dictionary attack on a domain I host (a SPAMER
> > > is going through every word and variation of words in the dictionary
> > > trying to find addresses at that domain) and my logs have become
useless
> > > and huge (10,000 + pages and 100 megs per day!). Does any one know of
a
> > > way to prevent this. Ipswitch says I would need to contact the SPAMER
> > > and tell them to stop, but that is WAY easier said than done. I
> > > desperate here!
> > >
> > >
> > > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > > to be removed from this list.
> > >
> > > An Archive of this list is available at:
> > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> > >
> >
> >
> > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > to be removed from this list.
> >
> > An Archive of this list is available at:
> > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> >
> >
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
