LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   The new IP Blacklist cache has really helped cut down on a lot of the dictionary attacks we were getting but there are still a few a day that slip by because they are outside of our 10 window for the blacklist cache setting.
Tactics I have seen are using multiple IP's over a span of more then 15 minutes and only doing 10-15 at a time and staying under the radar of our Max Recipient count.
I think there should be a test of number of  AuthorizedTo failures from a single IP  in a single session (settable of course) and if it fails then throw them into the blacklist cache immediately.
I swear these guys are adapting their tactics as soon as we find a way to slow them down with items like the IP Blackist cache.
Keep up the great work. 

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
WebGuyz Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote WebGuyz Thanks(0) Quote Reply Topic: Improve handling of AuthroizedTo failures Posted: 11 January 2006 at 12:14pm
	The new IP Blacklist cache has really helped cut down on a lot of the dictionary attacks we were getting but there are still a few a day that slip by because they are outside of our 10 window for the blacklist cache setting. Tactics I have seen are using multiple IP's over a span of more then 15 minutes and only doing 10-15 at a time and staying under the radar of our Max Recipient count. I think there should be a test of number of AuthorizedTo failures from a single IP in a single session (settable of course) and if it fails then throw them into the blacklist cache immediately. I swear these guys are adapting their tactics as soon as we find a way to slow them down with items like the IP Blackist cache. Keep up the great work.

Marco Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 07 June 2005 Location: Netherlands Status: Offline Points: 137	Post Options Post Reply Quote Marco Report Post Thanks(0) Quote Reply Posted: 12 January 2006 at 10:53am
	I don't think it impossible they are adapting because of things said in this forum. Roberto, don't you think we should discuss the more 'specific' SPF features in a registered forum? Keep this forum open for the regular remarks, ideas and thoughts, but add a new, secure one.
	Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams

WebGuyz Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote WebGuyz Thanks(0) Quote Reply Posted: 12 January 2006 at 7:57pm
	I think we should all get special decoder rings so that only valid members get these posts. But seriously, if you implement a way of checking 'x' number of AuthorizedTo failures in a row in a single session and put them in the IP Blacklist cache you've basically cut off any dictionary attacks chances and they'll go bug someone else who is not using SpamFilter.

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

Improve handling of AuthroizedTo failures