RE: Some Advice Please
- From: "Rich Gallo" <RGallo@xxxxxxxxxxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Thu, 5 Jan 2006 19:28:31 -0500
OK gotcha.
Here is my current topology. Our SMTP relay box (Barracuda) is what gets
outside mail first. Then it goes to Exchange (only one Exchange server -
2003). BOTH boxes are on the inside of our PIX and only the Barracuda has its
internal address mapped to an external address. I did set up tar pitting on
Exchange although I'm not sure how useful that will be since technically, the
only other computer that connects to it SMTP-wise (besides internal domain
clients obviously) is the Barracuda box. I am not too sure if the Barracuda
device has any sort of tar pitting but that is something I will have to take up
with them.
In any case, thanks so much for the info John, I truly appreciate it!
________________________________
From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
Sent: Thu 1/5/2006 6:09 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Some Advice Please
http://www.MSExchange.org/
If it is a harvesting or dictionary attack, your best bet is an automated way
to temporarily block connections from an IP after x amount of invalid
recipients or tarpit the IP after x amount of invalid recipients.
Some one else has posted a couple of links of how to do this on Exchange, but
IMHO you want to do this before your Exchange server unless you a small shop
and do not have other resources.
My clients Exchange servers sit behind my e-mail server which is acting as a
gateway for them which that server sits behind 3 MS SMTP servers with ORF
running.
ORF is actually a very good product that is growing but does not get mentioned
much. It can install on any server running IIS as it works directly with the
IIS SMTP service.
A harvest attack is where the attacking server(s) will "send" an e-mail to
every possible address at your domain from a through zzzzzzzzzzz (you get the
idea) to find out which are valid addresses. The proper way to fight this is
either block the IP after so many invalid recipients or to tarpit which means
waiting 30 to 60 seconds to respond with a 5.1.x indicating an invalid address.
John T
eServices For You
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.13/221 - Release Date: 1/4/2006
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.13/221 - Release Date: 1/4/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.13/221 - Release Date: 1/4/2006
Other related posts:
