Ipswitch Forums / Messaging / IMail Server / E-Mail Harvesting Attack / Latest Posts

RE: E-Mail Harvesting Attack

gnetwerker — Fri, 20 Aug 2004 02:00:27 GMT

I only host about 30 domains, but I find I'll get a dictionary attack on one for days or a week (or until I block it), and then silence, and then an attack on another (from a different and apparently unrelated source). I don't believe that dictionary attacks are in any way related to compromised servers -- but hasten to add that I cannot prove that position.

RE: E-Mail Harvesting Attack

SColburn — Thu, 19 Aug 2004 16:21:49 GMT

Archer,

I for one am still looking for a solution to this ongoing problem... I realize I probably need the Server version of BlackICE. I'd like to be able to try it out for myself, but I'd prefer not to shell out the extra $$$ unless I can be sure it will provide the desired solution. Any guidance you'd like to share would be met with great appreciation, I'm sure.

We host for nearly 200 domains. What's interesting about our problem is that it's really only one domain receiving the bulk (probably 99%) of the errors for invalid users. I'm wondering if it's possible that a computer on that person's domain or network (which would have the email client configured with an email address @theirdomain.com) has been compromised by a virus or something that is originating the attack. Anyone had experience with that type of situation?

Thanks,
-Scott

RE: E-Mail Harvesting Attack

Archer — Tue, 17 Aug 2004 16:58:42 GMT

Have you resolved the BlackICE configuration challenge you mentioned? I spent a lot of time and effort in figuring out how to get this to work, which I successfully accomplished. Let me know if you still need help with it.

Archer

RE: E-Mail Harvesting Attack

DoNotRead — Thu, 22 Jul 2004 19:43:32 GMT

I have done further research and it appears the most effective way to deal with this type of attack is to put some type of gateway that can remove the illiegitimate traffic before it reaches the mail server. It makes sense as this is truly not the job of the mail server.

RE: E-Mail Harvesting Attack

Sanford Whiteman — Thu, 22 Jul 2004 15:02:33 GMT

> Notably, IMGATE will not work for this. It doesn't know if a user is
> invalid or not (runs on a different machine, which no access to the
> user database), so it can't do what we're talking about. Also,
> coding up this kind of dynamic thing in postfix would be a major
> pain in the ass.

I am no friend of IMGate (PostFix) being injected into IMail
dicussions (a quick look at the mailing list archives will confirm
this), but I have to point out that you are incorrect. IMGate does
have provisions for replicating IMail userbases into PostFix alias
maps. As for the dynamic blacklisting, this is also part of the
cookbook.

The full answer vis-a-vis IMail is that the product does not have
built-in dynblock features, and since SMTPD needs to be restarted
after any addition, third-party attempts to provide dynamic reaction
to dictionary attacks is not feasible.

Note: I'd recommend that anyone considering this topic search the tens
of thousands of IMail Forum messages archived at
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/. These
archives have not yet been imported into this web forum, which is a
great loss.

--Sandy

RE: E-Mail Harvesting Attack

Dmitri Elgin — Thu, 22 Jul 2004 03:06:28 GMT

gnetwerker, great idea, but it seems not working by ipswitch help:

Granting and Denying Access: Grant\Deny Access On Dialog Box
To Grant Access to Specific Computers, bla, bla ...

[cuted]

Note: You must stop and restart the service for the changes to take effect.

RE: E-Mail Harvesting Attack

gnetwerker — Thu, 22 Jul 2004 02:30:54 GMT

I've been thinking about this too. Most of the IPs from which the dictionary attacks originate are hijacked PCs, and they pound on the server for am hour or two and then go away forever.

I've been thinkin of writing a little app that reads the end of the SMTP log for "invalid user" errors, and if a single IP generates more than (e.g.) 10 in 10 minutes, then adding that IP to the SMTP Security blocklist.

There are some issues -- I think (not sure) that SMTPD needs to be stopped and started again to re-read the blocklist, and I'm not sure I want to be doing that. Also, this would no doubt work better as a front-end or at least hooked into the system more closely.

Notably, IMGATE will not work for this. It doesn't know if a user is invalid or not (runs on a different machine, which no access to the user database), so it can't do what we're talking about. Also, coding up this kind of dynamic thing in postfix would be a major pain in the ass.

If I ever actually get this working, I'll of course post it here.

RE: E-Mail Harvesting Attack

SColburn — Mon, 19 Jul 2004 09:40:24 GMT

Hi,

I am experiencing the same problem. For a server hosting about 1000 mailboxes, my log files are over 200MB daily, and I have to cleanup lots of residual files in my Spool directory. Server performance doesn't seem to be suffering (noticeably), but it's still a huge pain.

Someone suggested that BlackIce [www.networkice.com] could block IP's that frequently send to invalid recipients. I could not seem to get it to work (PC version) without breaking other important things -- like the ability to send and receive email. I figured out how to open up the necessary ports, but it still would not automatically block IP's... it would detect the errors, but no blocking. If anyone has had success (PC or Server version), perhaps you could share your settings.

Another potential solution is to set up a separate "gateway" system, using something like IMGate [http://imgate.meiway.com] to filter connections. I have not tried this myself because I don't know much about linux.

Hopefully one of these will open a door for you.
-Scott

E-Mail Harvesting Attack

DoNotRead — Sat, 17 Jul 2004 11:46:49 GMT

Hello,

There is a situation where currently several domains running on our IMail server are being bombarded I assume from some type of address harvesting technique. It appears that spammers are sending to addresses using a dictionary to find out which messages are valid and which ones are bouncing. To make things more difficult the source IP of the messages changes often. This is wreaking havoc on the mail server. It is taking up much needed resources and in some cases causing bounceback loops, etc. The large amount of e-mail received by the server is causing SMTP sessions to be very slow, fail to connect or time out. I have tried setting up rules to delete all mail that does not contain valid recipients for the domain which did not really appear to help. I am running IMail 8.12. Has anyone had any success in dealing with this type of situation or have any suggestions?

Thank you!