> That is correct. Special logic is required to distinguish a dictionary > attack from mailing lists with recipients that are no longer on your > server. However, if you search the archives for "BlackIce Server", you > should find posts about that program, which apparently can be > used to help prevent dictionary attacks.
>From what I've seen, you can get rid of your nobody accounts and set up some filters (grep or even just using find and sort, although it is more limited) to locate the log entries for invalid users. These seem to fall into three categories: - attempts to use your server as a mail relay - dictionary attacks (i've seen one that does only a few a day, no more than once or twice a day, but repeats every day, trying to keep below the limits of firewalls such as black ice). - old users -- i've given up on these and just ignore most of them -- if we were large and had huge numbers, I'd start bouncing emails from the senders on these with a message to them that none of their emails were coming thru due to their inability to clean up their mailing lists -- most are old customers and vendors and a few more legit type places, that just don't bother cleaning up their mailing lists. The others are spammers that notifying them would do no good anyway. I sort them and block the first two by IP for a while (or forever, most are from korea, china or dsl lines), that's cut down on them dramatically. An automatic tool would be better, of course, but I doubt they would find the instances where smart attacks (only 5 or 6, no more than 10 per attempt) are used. Karen --- [This E-mail scanned for viruses by Declude Virus] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
