I like the analyses you've done. Along these lines, I don't know if you can access the info if you are not on the IMGATE lists, but Len and his pals have devoted the last few months of their lives finding interesting and creative ways to slow the DOS using all kinds of nasty little scripts in IMGATE. Definitely worth a look.
-----Original Message----- From: Smart Business Lists [mailto:[EMAIL PROTECTED]] Sent: Friday, August 16, 2002 11:47 AM To: [EMAIL PROTECTED] Subject: [IMail Forum] dictionary attacks I've been experimenting with programmatically entering the IP addresses of dictionary attacks in the IMAIL access control list (smtp32.acc) and thought I'd report since this has been of interest on the list before. I had a good opportunity since we were hit with a significant attack over the last 24 hours that involved a total of 45 IP addresses in different network ranges. This attack involved about 2,000 e-mail addresses. This is the first I've seen of the multi-ip attack. The concept works pretty easily but I think the practical usefulness is questionable. Basically I have to monitor the IMAIL log file for "SMTPD" "ERR" "invalid user" lines and parse for the IP address. When the count for an IP address hits a threshold (4 in my case) then I add it to the acl and toggle the server. But there are several practical problems: 1) Frequently a whole group of log entries hits the log file at one time. I think perhaps that the log may not be written until after an smtp dialogue is closed or some sort of buffer is filled, whichever occurs first. I'm really not at all certain. But suffice it to say that in some instances (not all) I was only able to add the IP address to acl after the attack had occurred. That's good for preventing future attacks but very little help in preventing a current attack. I really think what is needed here is some sort of IMAIL setting that allows one to set a threshold number for "invalid users". Then the smtp dialogue could be interrupted by IMAIL and dictionary attacks avoided. 2) I had some "invalid user" lines originate from web programs that hit IMAIL via my internal IP's and I had others that came from backup MX servers. So you have to be cautious to not add any of those to your acl. 3) There is also an issue where someone tries the same address repeatedly. These seem to be legitimate errors made by overly persistent users. 4) Among the 45 IP's used in our most recent attack there were several big ISP's that it is just not desirable to list. Whereas it is possible and relatively easily done to list an IP address in the acl based on log file data, I don't think in practice it is a worthy concept. Terry Fritts To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
