What I meant to say was: portsniffing: he probably swept the whole data facility (XO) looking for a target. my box has 4 ips on it, the one with a domain name attatched to is was not the one he was attacking, it was an un-named ip. my abilities to portsniff are limited, my knowledge is outweighed by my ignorance, but i do know iis, and sql are stable/patched/wrapped, imail is the issue.
pop3: probably he is trying to find valid email addresses or use an app to attack the possible pwords for commonly used accounts like webmaster, info, contact... send u/n webmaster try pwd: 1, 2, 3... I used kendra/ogre in the past myself on my own boxes. i could find valid accounts and if i had the time, i could try to attact say, 'webmaster' with a dictionary file to brute force entry. eventually you would think he would give up from timeouts/host unreachable... especially since i took the box offline for 8 hours here, 12 hours there... smtp: interesting how it comes back, like a horror movie, kill the bad guy and he is back. the acc file is huge, but every time I enter a new ip, he comes up with a new one, so being that I do not have an infinite # of hours to sift and enter ips, there has to be a better way. relaying: I had it set to only relay for local addresses, being that the major accounts were aliases, and tim@domain was the only legit account. when I got back from Paris I learned that the box was being banged. webmsg: it goes down fast, really fast. when it is down, smtp is up... or so it seems sql+iis+imail on one box: well yes. this is a development box, with one live domain plus splash page and that is not the domain he is attacking, he is going for another ip on the box. although we have locked down most ports, and have wrappers around iis like secure iis to prevent iis from being hit, and sql is sp3, all the defaults are set to low file sizes, the amount of physical ram as well as dual cpu prevent system instability or apps hogging threads and ram. spools/logs: the guy was persistent, but maybe his return address was something else, maybe that is why I don't get people sending me unsubscribe emails. the sheer fact that I turned everything but iis off for 8 hours and on turning it back on he resumed makes me think no matter how long I attempt to hide, he will always come back. ipsec: well I did enable ipsec, but it cut off all ties to everyone but my office workstation. this makes it hard for me to develop off of when working anyplace else but the office. and hard to show network execs our plans. the mid range option does not do anything but tighten down the logs so it is easier to i'd the guy, but again, an ounce of prevention is worth a pound of cure. I would rather strategize than have to do tactics. To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
