portsniffing: he probably swept the whole data facility (XO) looking for a target.
happens everyday, 1000's of times.
my box has 4 ips on it, the one with a domain name attatched to is was not the one he was attacking, it was an un-named ip. my abilities to portsniff are limited, my knowledge is outweighed by my ignorance, but i do know iis, and sql are stable/patched/wrapped, imail is the issue.The "issue" of 500K emails in your spool? yes, they would only get there via Imail. and from the log bits you posted, they weren't addressed to your domains, so the "issue" was Imail open relay
pop3: probably he is trying to find valid email addresses
no, POP is not what spammers use for sending email. wrong tree
or use an app to attack the possible pwords for commonly used accounts like webmaster, info, contact... send u/n webmaster try pwd: 1, 2, 3... I used kendra/ogre in the past myself on my own boxes. i could find valid accounts and if i had the time, i could try to attact say, 'webmaster' with a dictionary file to brute force entry.brute force password attack works on SMTP AUTH also. The only defense is "good" passwords, and some "log surfing bot" to respond with a packet filter block of ip's that fail too many times.
smtp:If he really is coming in from 100's or 1000's of ip's, this is very tough DoS, and all you can do is deny relay attempts, and reject mail to local users. Blocking 1000's of ip's in Imail is futile.
interesting how it comes back, like a horror movie, kill the bad guy and he is back. the acc file is huge, but every time I enter a new ip, he comes up with a new one, so being that I do not have an infinite # of hours to sift and enter ips, there has to be a better way.
Blocking 1000's of ip's in a packet filter is more efficient, but you still need an surfbot to detect the attack and respond with an ip block.
( I and another Imail user are working on new program to handle just your situation. It will help reduce your pain, not remove it. hmm, "IMAspirin" ?)
relaying: I had it set to only relay for local addresses
so you "only" got violated as an open relay.
spools/logs:Relax, it can go on for months. You've made him feel like a great "pitcher" by being a great "catcher" of his 500K emails. And I'm not talking about baseball. :))
the guy was persistent, but maybe his return address was something else, maybe that is why I don't get people sending me unsubscribe emails. the sheer fact that I turned everything but iis off for 8 hours and on turning it back on he resumed makes me think no matter how long I attempt to hide, he will always come back.
One thing we see in IMGate is that, quite often, the attackers who were feasting on IMail and nobody aliases, and other receive-the-entire message content-scanner defense, go hungry by the brutal door slam that IMGate hits them with. And they tend, sometimes, not to come back.
Len
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
