Jay Sudowski wrote: >>At this point, I have BlackIce blocking hosts if they make 3 SMTP errors in a 90 >>second period, and I'm only blocking about 30 hosts per hour. More concerning, >> is that my concurrent SMTP sessions are staying absurdly high - anywhere from 55 >> concurrent to over 80. My server only ldelivers 20,000 messages a day. >>This is so frustrating.
Jay, frustrating is right. We've observed a good number of dictionary attacks that send one probe every 5 minutes (to the second) for hours on end, which wouldn't get caught by the 3 errors in 90 seconds thresshold. This is a tough one to calibrate. We're experimenting with a setting like 5 errors in 40 minutes to catch those, but we're very low volume (not an ISP) and I'm sure that thresshold could severely risk false positives to someone with high volume. The nice thing with BlackICE is that you can try it and keep an eye on it in realtime in the UI. Evan To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
