Hello,

There is a situation where currently several domains running on our IMail server are being bombarded I assume from some type of address harvesting technique.  It appears that spammers are sending to addresses using a dictionary to find out which messages are valid and which ones are bouncing.  To make things more difficult the source IP of the messages changes often.  This is wreaking havoc on the mail server.  It is taking up much needed resources and in some cases causing bounceback loops, etc.  The large amount of e-mail received by the server is causing SMTP sessions to be very slow, fail to connect or time out.  I have tried setting up rules to delete all mail that does not contain valid recipients for the domain which did not really appear to help.  I am running IMail 8.12.  Has anyone had any success in dealing with this type of situation or have any suggestions?

Thank you!

Hi,

I am experiencing the same problem. For a server hosting about 1000 mailboxes, my log files are over 200MB daily, and I have to cleanup lots of residual files in my Spool directory. Server performance doesn't seem to be suffering (noticeably), but it's still a huge pain.

Someone suggested that BlackIce [www.networkice.com] could block IP's that frequently send to invalid recipients. I could not seem to get it to work (PC version) without breaking other important things -- like the ability to send and receive email. I figured out how to open up the necessary ports, but it still would not automatically block IP's... it would detect the errors, but no blocking. If anyone has had success (PC or Server version), perhaps you could share your settings.

Another potential solution is to set up a separate "gateway" system, using something like IMGate [http://imgate.meiway.com] to filter connections. I have not tried this myself because I don't know much about linux.

Hopefully one of these will open a door for you.
-Scott

gnetwerker, great idea, but it seems not working by ipswitch help:

Granting and Denying Access: Grant\Deny Access On Dialog Box
To Grant Access to Specific Computers, bla, bla ...

[cuted]

Note: You must stop and restart the service for the changes to take effect.

Regards,
Dmitri Elgin,
http://imailzip.com

> Notably, IMGATE will not work for this. It doesn't know if a user is
> invalid  or not (runs on a different machine, which no access to the
> user  database),  so  it  can't  do  what we're talking about. Also,
> coding  up  this  kind  of dynamic thing in postfix would be a major
> pain in the ass.

I  am  no  friend  of  IMGate  (PostFix)  being  injected  into  IMail
dicussions  (a  quick  look  at the mailing list archives will confirm
this),  but  I  have  to point out that you are incorrect. IMGate does
have  provisions  for  replicating  IMail userbases into PostFix alias
maps.  As  for  the  dynamic  blacklisting,  this  is also part of the
cookbook.

The  full  answer  vis-a-vis  IMail  is that the product does not have
built-in  dynblock  features,  and  since  SMTPD needs to be restarted
after  any  addition, third-party attempts to provide dynamic reaction
to dictionary attacks is not feasible.

Note: I'd recommend that anyone considering this topic search the tens
of     thousands    of    IMail    Forum    messages    archived    at
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/.    These
archives  have  not  yet been imported into this web forum, which is a
great loss.

--Sandy

------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.

Defuse Dictionary Attacks: Turn Remote Mailboxes into Aliases on your IMail MX!
  http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/

Have you resolved the BlackICE configuration challenge you mentioned?  I spent a lot of time and effort in figuring out how to get this to work, which I successfully accomplished.  Let me know if you still need help with it.

Archer

Archer,

I for one am still looking for a solution to this ongoing problem... I realize I probably need the Server version of BlackICE. I'd like to be able to try it out for myself, but I'd prefer not to shell out the extra $$$ unless I can be sure it will provide the desired solution. Any guidance you'd like to share would be met with great appreciation, I'm sure.

We host for nearly 200 domains. What's interesting about our problem is that it's really only one domain receiving the bulk (probably 99%) of the errors for invalid users. I'm wondering if it's possible that a computer on that person's domain or network (which would have the email client configured with an email address @theirdomain.com) has been compromised by a virus or something that is originating the attack. Anyone had experience with that type of situation?

Thanks,
 -Scott