14
Current IDS Block Table
Idea shared by Bruce Barnes - April 3, 2015 at 8:46 AM
Completed
The new IP blocking feature, introduced a few versions ago, it a great tool and we have enabled it, with great success, on both our own installation as well as the SmarterMail servers of several clients.  It does have one minor shortfall, and that is that the table exists only as long as the SmarterMail server is not rebooted.
 
If this could be incorporated into a fluid table, which is written out to a file that holds the block, based on the configuration of the blocking action, until the blocking time is expired, it would become an even better tool because the accumulated data would not simply disappear ever time it is necessary to reboot a server or perform maintenance on SmarterMail.
 
This is particularly true of those, albeit, unfortunate, ISPs who are more heavily bombarded with DDoS and Password Brute Force attacks.   I have a couple of clients in Europe who's Password Brute Force tables can grow to several hundred entries over the course of 24 to 36 hours.
 
Here's what we've setup to block, and how long we're blocking - and it works really well!
 
SmarterMail 13.3.3: DDoS, Harvesting, and Password Brute Force Rules
SmarterMail 13.3.3: DDoS, Harvesting, and Password Brute Force Rules
 
Thanks in advance for considering this new feature.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

16 Replies

Reply to Thread
2
Robert Emmett Replied
April 3, 2015 at 8:54 AM
Employee Post
We love this idea, Bruce, and can clearly see the value in retaining the current IDS block list between service restarts.  I have added this to our feature request list.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
2
SmarterUser Replied
June 4, 2015 at 5:30 AM
Please also add the block initiation and expiration times.  I would also like to see an option to make any of the blocks permanent.
1
Scarab Replied
June 4, 2015 at 9:52 AM
Thank you for considering this as a possible future feature.
 
We routinely get an average of 400 DoS, 400 Brute-Force, and about 24 Harvesters a day. We have been parsing an email box receiving notifications and outputting them to an XLS file to manually review daily and add the repeat offenders to the Smartermail Blacklist on all three of our servers (Primary and two Gateways). This is a really time-consuming process (although it does block anywhere from 2M-16M connections a day and reduces our Incoming Mail load by at least 50% which is why we take the time to bother). To have the ability to have blocks remain permanent, or semi-permanent (depending on preference) would be a huge time-saver for us.
3
Matthew Titley Replied
June 5, 2015 at 12:43 PM
Along these lines, I'd like to see a "three strikes and your out" type of logic where if an IP address is caught repeatedly (admin defined) triggering brute force limits the offending IP goes to the perm ban list which would then require admin action to undo. I get tired of seeing DOS/brute force alerts from the same IP addresses over and over and having to make a manual ban.
3
Bruce Barnes Replied
December 26, 2015 at 6:54 PM
Any further consideration on this, SmarterTools?

We just picked up a customer in France who's SmarterMail server was getting bombed by password brute force and DOS attacks, and having these tables auto-built by the attacks are great at stemming those attacks, but loosing the data when restarting the SmarterMail service, or rebooting the server, leaves them a great deal more vulnerable until the tables are rebuilt.
 
If this can be included, whether as a update to the next version of SmarterMail 14.X, or in SmarterMail 15.X, it would be a very welcome addition to a great product.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Kevin McNally Replied
May 19, 2016 at 12:02 PM
I'd also welcome this feature, every time we do an upgrade or restart the service we loose the whole list. Is there any update to this? We are currently using SM 14.6 and will be upgrading to 15 soon.
 
Kevin
 
Kevin McNally
Interactive Palette, Inc.
2
David Jamell Replied
May 20, 2016 at 5:19 AM
Nothing more I can add other than, YES, please add this feature!
0
Ionel Aurelian Rau Replied
July 14, 2016 at 12:10 AM
Any decisions on this?
 
It is not nice when you lose the IDS entries after each SmarterMail upgrade (this is pretty much the only time the server is rebooted).
2
Tim DeMeza Replied
August 3, 2016 at 3:00 PM
Please don't take this wrong but I cannot believe this is not in a table, xml file etc.  I did not know this.  It sure explains a lot of my frustrations I have had when having to restart the server.  Not to overly simplify this, but these developers should be able to save this to a table in their sleep at this point.  Anyway, any way this can be implemented ASAP would be appreciated. We have maintenance cycles that require reboots and this just seems like a no brainer.  I love SM but little things like this make me crazy.  Thanks for the consideration, and bump it up on the priority scale if possible.
0
Paul White Replied
August 3, 2016 at 5:34 PM
Another request I would like to add is the ability to detect what IP block an IP belongs to and then stop the entire block from sending email to us.  Many times an IP will attempt abuse, and will attempt again using another IP in the neighborhood.  If I detect an IP is trying an attack, I would love the server to automatically block the entire /24 /26  or whatever block of IPs it hangs with.  I have implimented my own solution like this where IPs and /24 blocks are automatically added to my firewall when attempting to send email that matches specific top level domains, or phrases.  After a while you start to see a pattern with connections coming from specific hosting providers, data centers or countries, where you can take a huge load off your server by taking a more Nuclear option.  I know this might not be realistic for global operations, but if you are small business who does not do business outside your state, or even the USA, it could be very useful.
WhiteSites.com
Blog.whitesites.com
2
eswanzey Replied
January 18 at 4:04 PM
Bruce started this thread on April 3, 2015 and here we are about 1 1/2 years later with the feature still not implemented. Robert Emmett of SmarterTools liked the idea so much that he responded with agreement  8 MINUTES after the original post. Again, that was 1 1/2 years ago.
 
So really, what's the big deal with allocating a few developer hours towards getting this implemented?
0
Matthew Titley Replied
January 19 at 11:57 AM
Seeing how much of a big deal email security has been over the past year due to national security et. al., I'd think that enhancing IDS features, such as described here, would have been implemented by now as low hanging fruit.
0
John Reid Replied
January 19 at 12:06 PM
Yea, I just migrated any non-US IP addresses from my IDS to my Windows Firewall as blocks. I do that before an upgrade, and sometimes in between to make it persistent. I have a somewhat streamlined process in place to do this, and it had been about 6 weeks since the last time I did it. It took 2 hours.
0
Paul White Replied
January 19 at 12:08 PM
I personally would like the ability to limit the IPs or hostnames that are allowed to authenticate for specific domains and or users.  I have clients who have offices with static IPs, and would like their employees to only check email from the office and not from home.  Then be able to setup rules in which any IP that attempts to authenticate to a domain or user that is locked down is immediately firewalled.  
WhiteSites.com
Blog.whitesites.com
1
Andrea Rogers Replied
January 24 at 12:39 PM
Employee Post
Hi everyone,
 
I'm happy to report that I am changing this thread from Under Consideration to Planned. A future version of SmarterMail will include persistent IDS blocking. I don't have more details at the moment, but please stay tuned for updates! 
Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Matt Petty Replied
February 1 at 8:07 AM
Employee Post
I have some fantastic news! You will be seeing this feature in the next BETA build of SmarterMail 16!
Sneak Peak!
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread