icakmakli wrote:
> But there's no mail on the firewall . Most probably the mail bounces
> from
> the firewall. Is there a way to capture the mail, and look the headers
> ?.
> If I am sure that the mail bombing comes from that address, how can I
> prove
> that the mail bombing comes from that address? Firewall log is enough
> or
> not.
>
I'm not sure I do understand your problem :
Here is what I suggest
The bomber uses other mail servers to bomb YOUR site, but you can still
see in the
headers of the mail you receive the name of the machine that really
initiated the TCP
connection to the "spoofed" mail server used for anonymation. So accept
the mail just
once before adding new rules on your Firewall.
I don't know if some FireWalls can filter messages on the ascii content
of the message
(in this case, the name of the offending machine appearing in the
headers)
(it may be dangerous) but some other "sensor products" do. I just
discovered that
firewall-1 couldn't do that!!
You can still imagine to define the original adresse of the bomber as
the signature of a
virus, and combine your firewall with Content Vectoring Protocol (and an
antivirus server
as Virusafe Firewall) !!
I admitt there should be easier solutions.
Pierre
--
/---------------------------------------------------\
Pierre GERMAIN PERFORM SA
tel 04-42-93-19-93
fax 04-42-26-23-43
\---------------------------------------------------/
begin: vcard
fn: Pierre GERMAIN
n: ;Pierre GERMAIN
org: PERFORM
email;internet: pgn @
perform .
fr
title: ingenieur securite
x-mozilla-cpt: ;0
x-mozilla-html: FALSE
end: vcard
References:
|
|
