Black Ice will look at the error rate and block it after 20 errors in 2 minutes from the same IP.(or some number like that - you can custom configure it to your liking as well).
The fact that you have a nat'ted customer with hundreds of users on a single IP will be fine, as long as they aren't sending a bunch of mail to 'invalid users'. Jason ----- Original Message ----- From: "Heimir Eidskrem" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, January 22, 2003 10:20 AM Subject: Re: Re[2]: [IMail Forum] what a pain! > I am not sure how BlackIce would help in a dictionary attack? > > Could you please elaborate on that? > > H. > > ----- Original Message ----- > From: "Scott Winberg" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, January 22, 2003 9:32 AM > Subject: RE: Re[2]: [IMail Forum] what a pain! > > > > I used to get about 1000 of these a day. I would block the ip and it > > would just come from a different ip in a different country as fast as I > > could block them. All started with John@. I installed BlackIce and now > > get none. > > > > Scott Winberg > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of paul > > Sent: Wednesday, January 22, 2003 7:49 AM > > To: [EMAIL PROTECTED] > > Subject: Re: Re[2]: [IMail Forum] what a pain! > > > > Ok Sandy, hope this explains it better... > > This person or persons, using [EMAIL PROTECTED] name changes each time, > > and > > tries sending mail to certain addresses NOT hosted by us, below is an > > example from this morning ARGH! > > > > 01:22 01:21 SMTPD(272F00D8) [80.24.134.146] MAIL From: <[EMAIL PROTECTED]> > > 01:22 01:21 SMTPD(272F00D8) [80.24.134.146] RCPT > > To:<[EMAIL PROTECTED]> > > 01:22 01:21 SMTPD(272F00D8) [80.24.134.146] ERR mail.2khiway.net invalid > > user <[EMAIL PROTECTED] > > > > Seems he's always trying to send to @crossroadsapplctr.com, and > > @cwsins.com, > > both which I've never heard of. As I said before, the name after john@ > > changes, as does the IP address he sends from. This one WHOISes back to > > Spain. > > > > Any ideas? Is there even anything I can DO that I haven't already? > > <listing > > the address in my kill file and IP in the access list> > > > > Paul > > > > > > > Well, is that a domain that you host? That'll tell you whether it's a > > > local dictionary attack or a remote relay attempt. > > > > > > -Sandy > > > > > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > List Archive: > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
