3
Reverse DNS filtering, better abuse blocking and other ideas
Idea shared by Robert Simpson - April 27, 2016 at 11:13 AM
Proposed
Reverse DNS Filtering
Currently reverse DNS filtering is only on or off.
I'd like to conditionally block based on reverse DNS pattern matching such as *.reverse.ezzi.net.  This is different from header filtering, because if I picked the "Received" header and type the same search string, it'll match on any Received header, and not just the most recent or currently connected IP address.
 
Abuse blocking
My server gets hit with POP and SMTP password harvesting attempts every day.  Every time I set the abuse threshold, the attackers find out what it is by hitting it until it blocks, and then set their harvesters to hammer the server just up to the limit but not exceeding it.
I need a dashboard, interactive report or something that can tell me every time a failed password attempt occurs:
Date, IP address, Reverse DNS, EHLO command (if applicable) and the username and/or password that was entered.
Additionally a way to multi-select and block those IP addresses for POP/SMTP/etc.  Currently I have to manually walk the SMTP/POP logs with Notepad, recording each attempt, looking up the reverse DNS or ARIN/RIPE/APNIC/etc owner, filter out duplicate IP's.  Then I have to take all the IP's in Notepad and comma-separate them, and bring them into the blacklist page by hand.  It's a huge hassle.
The current EHLO tag blocking is not effective here.  It only works for SMTP of course, and these harvesters are using a wide variety of EHLO tags that make it impossible to filter.
 
Harvesters
Instead of setting up a rule that says "5 attempts in 30 minutes, block for 720 minutes" can we have some ranges instead?  How about randomly, 4 to 7 attempts in 30 to 60 minutes, block for 660-980 minutes?  Currently the abusers are using machines to find out what my limits are just by trial and error, and then setting their primary harvesters to skirt the limits so they don't get blocked.  A randomized number would help alleviate this problem as they could no longer tell for certain at what number of attempts their IP address will get blocked.
 

Reply to Thread