I've been experimenting with programmatically entering the IP
addresses of dictionary attacks in the IMAIL access control list
(smtp32.acc) and thought I'd report since this has been of interest on
the list before.
I had a good opportunity since we were hit with a significant attack
over the last 24 hours that involved a total of 45 IP addresses in
different network ranges. This attack involved about 2,000 e-mail
addresses. This is the first I've seen of the multi-ip attack.
The concept works pretty easily but I think the practical usefulness
is questionable. Basically I have to monitor the IMAIL log file for
"SMTPD" "ERR" "invalid user" lines and parse for the IP address. When
the count for an IP address hits a threshold (4 in my case) then I add
it to the acl and toggle the server. But there are several practical
problems:
1) Frequently a whole group of log entries hits the log file at one
time. I think perhaps that the log may not be written until after
an smtp dialogue is closed or some sort of buffer is filled,
whichever occurs first. I'm really not at all certain. But suffice
it to say that in some instances (not all) I was only able to add
the IP address to acl after the attack had occurred.
That's good for preventing future attacks but very little help
in preventing a current attack.
I really think what is needed here is some sort of IMAIL
setting that allows one to set a threshold number for "invalid
users". Then the smtp dialogue could be interrupted by IMAIL
and dictionary attacks avoided.
2) I had some "invalid user" lines originate from web programs
that hit IMAIL via my internal IP's and I had others that came
from backup MX servers. So you have to be cautious to not add
any of those to your acl.
3) There is also an issue where someone tries the same address
repeatedly. These seem to be legitimate errors made by overly
persistent users.
4) Among the 45 IP's used in our most recent attack there were
several big ISP's that it is just not desirable to list.
Whereas it is possible and relatively easily done to list an IP
address in the acl based on log file data, I don't think in practice
it is a worthy concept.
Terry Fritts
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
