Dictionary Attack:

A dictionary attack is where an attacker uses a very large list of guesses, figuring that somewhere in that list is the right guess. Dictionary attacks can be utilized for many purposes, the purpose we are documenting is spam. Spammers utilize lists of common accounts and try them all at the domain they have knowing some will get through. The whole process can be fairly fast on a large server setup, within a second or so they've tried hundreds (mike@, cindy@, and even the non-firstname combinations like klm1981@, sweetgrl67@, etc.). Over time they try hundreds of thousands. This is often why even unpublished addresses get spam.

Our servers are handling nearly one million messages a day. We also seem to be the target of thousands of dictionary attacks a day. I can speculate as to why, but won't here. What I will speculate on is that if we get them, bigger services must get even more. Well, we can not have spammers trying to guess their way into our user base, so we did something about it. We had to, for your protection and ours. These thousands of machines hitting us with thousands of e-mail guesses at a time were beginning to hinder performance as well.

Remove the speed:

One thing that these attacks need to succeed is speed. They want to try as many combinations as possible. So we removed that from them. We set our servers up to throttle after a number of rapid succession user unknowns, to slow them way down. This doesn't affect valid e-mail at all, but hinders those servers trying hundreds of addresses that do not exist.

Block the recurring:

Many continue on throttled, still trying guesses, when this happens our automated system will temporarily block the server sending the dictionary attack from connecting. This is a timed block, it expires after five days. We had tried less expire time, but reports showed the same servers, nearly 100% of them trojaned zombies (end user machines on cable, dsl, etc. that have been infected with a virus that is performing these attacks. This is unknown to the person who's machine is infected), were attacking us day after day. The ideal expire time, or time that someone found and dealt with the infection is actually even longer than five days, but five days was a good balance for performance vs protection.

Accuracy:

We mentioned "nearly 100%" of them trojaned zombies. This is because there is the possibility that someone or some zombie performs these attacks through their ISP's mail server. We have not yet seen that happen and our list is so far 100% trojaned machines, but it is possible. Because this possibility exists, in those instances we will whitelist the ISP server from the blocking, but will still continue to throttle it's rapid succession user unknowns. We had considered just throttling all, but apparently keeping track of the tens of thousands of throttled connections made the server unstable. Blocking was the only option left. The only machines that will be blocked by this are those that served up a dictionary attack upon us. Normal user unknown's and mail lists will be unaffected.

Who are we blocking:

You've either been directed to this page because your system has been blocked or you are following a link to read why and how we perform this blocking. Click here to see the systems currently being blocked:

Current Systems Being Blocked
Historic listing of Dictionary Attacks

If your machine is blocked and should not be, please let us know. We will whitelist it.
Click here to get server whitelisted