RE: Some Advice Please

  • From: "John T \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Fri, 6 Jan 2006 07:54:30 -0800


John T

eServices For You


-----Original Message-----
From: Maglinger, Paul [mailto:PMAGLINGER@xxxxxxxx] 
Sent: Friday, January 06, 2006 5:42 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Some Advice Please
Sensitivity: Private

John - ORF?   



From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, January 05, 2006 17:10
To: [ExchangeList]
Subject: [exchangelist] RE: Some Advice Please
Sensitivity: Private

If it is a harvesting or dictionary attack, your best bet is an automated
way to temporarily block connections from an IP after x amount of invalid
recipients or tarpit the IP after x amount of invalid recipients. 


Some one else has posted a couple of links of how to do this on Exchange,
but IMHO you want to do this before your Exchange server unless you a small
shop and do not have other resources.


My clients Exchange servers sit behind my e-mail server which is acting as a
gateway for them which that server sits behind 3 MS SMTP servers with ORF


ORF is actually a very good product that is growing but does not get
mentioned much. It can install on any server running IIS as it works
directly with the IIS SMTP service. 


A harvest attack is where the attacking server(s) will "send" an e-mail to
every possible address at your domain from a through zzzzzzzzzzz (you get
the idea) to find out which are valid addresses. The proper way to fight
this is either block the IP after so many invalid recipients or to tarpit
which means waiting 30 to 60 seconds to respond with a 5.1.x indicating an
invalid address. 


John T

eServices For You



Other related posts: