Re: POP3 logon attempts

On Mon, Mar 31, 2003 at 02:11:27PM +0200, Tom Fischer wrote:
> Hi,
> some of our POP3 servers got DoSed cause of massive password probes
It's likely just a script that automates this for the tickler to the tickee. They would just loop via the total number of accounts they wish fork to and test for default accounts/passwords for example. Have you tried a wrapper to limit the number of connections per same ip addr? For example if you do not have more than one connection established per ip to get pop3. Then send them a RST. Or something like that. AND create a list of accounts that never are allowed to access remotely via pop3 and send disconnects to any attempts to do so. Obviously log usages that do not meet your ruleset and add spice to taste. If some of these they are trying do actually exist then create filter rules. TMTOWTDI

HIH Best Regards,
dreamwvr@dreamwvr.com

-- 
/*  Security is a work in progress - dreamwvr                 */
#                                                             
# Note: To begin Journey type man afterboot,man help,man hier[.]      
#                                                             
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents