The new IP Blacklist cache has really helped cut down on a lot of the dictionary attacks we were getting but there are still a few a day that slip by because they are outside of our 10 window for the blacklist cache setting.

Tactics I have seen are using multiple IP's over a span of more then 15 minutes and only doing 10-15 at a time and staying under the radar of our Max Recipient count.

I think there should be a test of number of  AuthorizedTo failures from a single IP  in a single session (settable of course) and if it fails then throw them into the blacklist cache immediately.

I swear these guys are adapting their tactics as soon as we find a way to slow them down with items like the IP Blackist cache.

Keep up the great work.

I don't think it impossible they are adapting because of things said in this forum.

Roberto, don't you think we should discuss the more 'specific' SPF features in a registered forum?

Keep this forum open for the regular remarks, ideas and thoughts, but add a new, secure one.

I think we should all get special decoder rings so that only valid members get these posts.

But seriously, if you implement a way of checking 'x' number of AuthorizedTo failures in a row in a single session and put them in the IP Blacklist cache you've basically cut off any dictionary attacks chances and they'll go bug someone else who is not using SpamFilter.