Dictionary Attack Prevention
A dictionary attack is when a spammer randomly ‘invents’ the local part (the username before the @ in an email address) in an effort to force junk mail into a user’s catch-all account. By setting your default/catch-all address in CPanel to :fail: these messages will not be delivered to you and the sender’s host will notify the user that the address does not exist. The downside to doing this is that there are instances where having the ability for a user to ‘invent’ an email address ‘on the fly’ without setting up an email account or forward beforehand would be beneficial.
We have configured the email server to recognize and indentify this type of spamming behavior. If four email messages sent by the same IP address fail consecutively to be addressed to actual users that particular sending IP address will be flagged as being a source of dictionary attacks. Once flagged the IP address will be placed on a temporary ban list and no further email will be accepted from that IP address during the temporary ban period.
This new identification and prohibition of hosts launching dictionary attacks will in effect allow for decreased spam for those not using the :fail: option by still filtering email based on an IP history of sending spam via dictionary attack to other hosts on the system. This will still allow for ‘on the fly’ created addresses for those wishing to have such addresses forwarded to their catch-all or any other existing email account.
Why the ban period is temporary: We recognize that mistakes can be made when addressing email. We do not want to permanently ban anyone for using the wrong email address to contact a user. We also recognize that the majority of these spam sources are dialup account users whose IP address will be rotated off to another user. It is also important to note that the blocking applies only to receipt of email; IP addresses are not banned from accessing any other service (web, ftp, etc).
