> The programs that perform this kind of attack often change IPs within a
> short time, so blocking a group of addresses is the only way to gain some
> protection. Once you have the IP and the owner, contact them and tell them
> of your trouble.
Have you ever tried to contact UUnet? They are a major source of spammers
according to our logs and a recent article.
It takes them awhile to find the spammer because of their backlog.
After the find the spammer, they do whatever they do to them, and then tell
you.
They also say if you want to contact the spammer, you need to subpoena UUnet
for the info.
Yeah right.
They should respond but cutting off the users account. I
> remember the name of one, 'Geolist', about 2 years ago (I think
> it gave the
> name somewhere in its connection attempt, check the IMail log).
> The program
> also changed the senders email address pretty quickly, too, so 'Kill list'
> was not effective (unless they use the same domain all the time and I'm
> pretty sure that changed, too).
>
> There are some other things that can slow them down. IMail
> Registry hacks to
> limit number of RCPT To (check manual/kb) and a delay between them (again,
> in manual/kb) are 2 possibilities. Another member said to use a
> nobody alias
> (so all addresses appear valid), but my impression of that is they will
> think the addresses are valid and try them again in the future (I
> suppose if
> they are selling the harvested addresses, then they are selling garbage
> addresses). None of these stop the program from connecting (except the IP
> block) so they are less than 100% effective and will still fill
> up log space
> and use resources.
>
> The difficulty in creating an effective block, is that having an invalid
> RCPT TO:, is actually pretty normal, so then one has to have some
> number of
> them before applying the defense (you will make those decisions
> when you use
> the above registry hacks). How many, before setting the defense? Too many
> and the defense is not effective, too few and you affect valid email. And
> with a smart attack program, it will use fewer addresses,
> reconnect and try
> some more.
>
> Daniel Donnelly
> ________________________________________________________
>
> ----- Original Message -----
> From: "Florida.com" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, February 13, 2001 10:09 PM
> Subject: RE: [IMail Forum] Stopping Dictionary Attacks
>
>
> > > Find his IP address and block that IP range from sending mail. You
> should
> > > be able to find the IP address he/she is sending the mail from.
> >
> >
> >
> > Unfortunately we suffer from same problem. We tried the above but to no
> > avail. They will dial in from another ip that won't be blocked.
> >
> > We finally blocked out all of 63.... which worked. It blocked out all of
> > UUnet But how long could we do that for?
> >
> > Perhaps Imail 7 should have a feature that will block this out. Declude
> says
> > they will have something as well.
> >
> >
> >
> >
> >
> >
> >
> >
> > > ----- Original Message -----
> > > From: "Tom Krowas" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Tuesday, February 13, 2001 3:08 PM
> > > Subject: [IMail Forum] Stopping Dictionary Attacks
> > >
> > >
> > > > I suffering from a huge Dictionary attack on a domain I
> host (a SPAMER
> > > > is going through every word and variation of words in the dictionary
> > > > trying to find addresses at that domain) and my logs have become
> useless
> > > > and huge (10,000 + pages and 100 megs per day!). Does any
> one know of
> a
> > > > way to prevent this. Ipswitch says I would need to contact
> the SPAMER
> > > > and tell them to stop, but that is WAY easier said than done. I
> > > > desperate here!
> > > >
> > > >
> > > > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > > > to be removed from this list.
> > > >
> > > > An Archive of this list is available at:
> > > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> > > >
> > >
> > >
> > > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > > to be removed from this list.
> > >
> > > An Archive of this list is available at:
> > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> > >
> > >
> >
> >
> > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > to be removed from this list.
> >
> > An Archive of this list is available at:
> > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> >
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
