Email Bomb Attack option
Brightmail Gateway provides 2 options to guard again attacks; Directory Harvest Attack and Email Virus Attacks. These are good features to help guard against unwanted attacks.
On occasion, we have received bomb blast emails from disgruntled users. Since these emails targets certain senior management individuals, we need the ability to block them. We can identify the abusive sender address or IP and block it. In cases where the abusive sender uses a program to blast out emails by the hundreds, it would be good to have a feature in Brightmail that quarantines the messages or rejct the SMTP connection if the volume of message received from the same IP address exceed a threshold (i.e., 100 messages per minute). This gives the administrator a tool to stop attacks from disgruntled users or website.
Comments
How would you suggest
How would you suggest implementing this? Would say, keeping a 60 minute moving average of the overall inbound message/minute and if the any single IP connection generated more than 5% in the last say 10 minutes (these would be tunable parameters) work?
I'm not with Symantec, just thinking through design.
I see that the free Postfix MTA implements something like this
http://www.postfix.org/TUNING_README.html#slowdown
Note: these features use the Postfix anvil(8) service, introduced with Postfix version 2.2.
The Postfix smtpd(8) server can limit the number of simultaneous connections from the same SMTP client, as well as the connection rate and the rate of certain SMTP commands from the same client. These statistics are maintained by the anvil(8) server (translation: if anvil(8) breaks, then connection limits stop working).
IMPORTANT: These limits must not be used to regulate legitimate traffic: mail will suffer grotesque delays if you do so. The limits are designed to protect the smtpd(8) server against abuse by out-of-control clients.
Would you like to reply?
Login or Register to post your comment.