Back to Community Threads
1
DOS-IMAP blocks on regular users
Problem reported by Charles Verrette - 11/22/2016 at 2:02 PM
Submitted
(Using Smartermail v15.3. )
Hi,
Since a couple months now, I have 3 users which are being repeatedly DOS-IMAP blocked by Smartermail. Our abuse detection for DOS-IMAP is set to a count of 200 connections in 5 minutes. I don't know what's happening with those users in particular. I've analysed the IMAP logs searching with their IP adresses and they all say they weren't doing anything particular at the exact time they get blacklisted.
 
I've included below an example of one of them who got blacklisted yesterday at 22:52:37. We can see at the beginning of the log the "normal" usage I think. His device making some requests to the server every 5 minutes.
 
After this time though: [2016.11.21] 22:49:36 [207.253.152.208][63423385]
The request number increases dramatically and I don't understand what's happening exactly. What could cause this if the client says he wasn't doing anything on his emails at that time?
 
The logs are a little bit too much for this text editor. Here's a link to DL the text file I made.
 
www.filedropper.com/clientlogssm_1
 
Here's two connections right before my client got blacklisted. Any idea what's going on there? It seems to be about deletion requests but i'm not sure.
 
[2016.11.21] 22:52:32 [207.253.152.208][47939239] connected at 11/21/2016 10:52:32 PM
[2016.11.21] 22:52:32 [207.253.152.208][47939239] command: 1 CAPABILITY
[2016.11.21] 22:52:32 [207.253.152.208][47939239] command: 2 AUTHENTICATE CRAM-MD5
[2016.11.21] 22:52:32 [207.253.152.208][47939239] clientusername@clientdomain.com logged in
[2016.11.21] 22:52:32 [207.253.152.208][47939239] command: 3 CAPABILITY
[2016.11.21] 22:52:32 [207.253.152.208][47939239] command: 4 SELECT "Client Name inc/Gouvernement"
[2016.11.21] 22:52:32 [207.253.152.208][47939239] response: * 1 EXISTS
[2016.11.21] 22:52:32 [207.253.152.208][47939239] response: * 0 RECENT
[2016.11.21] 22:52:32 [207.253.152.208][47939239] response: * OK [UIDVALIDITY 5115] UIDs valid
[2016.11.21] 22:52:32 [207.253.152.208][47939239] response: * OK [UIDNEXT 2] Predicted next UID
[2016.11.21] 22:52:32 [207.253.152.208][47939239] response: * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
[2016.11.21] 22:52:32 [207.253.152.208][47939239] response: * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft)]
[2016.11.21] 22:52:32 [207.253.152.208][47939239] response: 4 OK [READ-WRITE] SELECT completed
[2016.11.21] 22:52:32 [207.253.152.208][47939239] command: 5 UID SEARCH 1:* DELETED
[2016.11.21] 22:52:32 [207.253.152.208][47939239] command: 6 UID SEARCH HEADER Message-ID <E44EC2A2DC87E047A23E1271444621680139C9ADD4@svr-exc2k10-01.rudsak.local> OR HEADER Message-ID <BN4PR07MB227527C3099A086DCA9BB301C5CE0@BN4PR07MB2275.namprd07.prod.outlook.com> OR HEADER Message-ID <BY2PR06MB471A6103D4F324A500445CEF4CE0@BY2PR06MB471.namprd06.prod.outlook.com> OR HEADER Message-ID <BY2PR06MB4714C2F6004DC16AAAB1065F4CE0@BY2PR06MB471.namprd06.prod.outlook.com> OR HEADER Message-ID <00CDAA6F-759C-42F5-B64B-30149A829871@sepaq.com> UNDELETED
[2016.11.21] 22:52:32 [207.253.152.208][47939239] command: 7 UID SEARCH HEADER Message-ID <48FBEC06-C479-4F2C-9E36-E5099BF98B15@clientdomain.com> UNDELETED
[2016.11.21] 22:52:32 [207.253.152.208][6976519] connected at 11/21/2016 10:52:32 PM
[2016.11.21] 22:52:32 [207.253.152.208][6976519] command: 1 CAPABILITY
[2016.11.21] 22:52:32 [207.253.152.208][6976519] command: 2 AUTHENTICATE CRAM-MD5
[2016.11.21] 22:52:32 [207.253.152.208][6976519] clientusername@clientdomain.com logged in
[2016.11.21] 22:52:32 [207.253.152.208][6976519] command: 3 CAPABILITY
[2016.11.21] 22:52:32 [207.253.152.208][6976519] command: 4 SELECT "Client Name inc/Mandats"
[2016.11.21] 22:52:32 [207.253.152.208][6976519] response: * 0 EXISTS
[2016.11.21] 22:52:32 [207.253.152.208][6976519] response: * 0 RECENT
[2016.11.21] 22:52:32 [207.253.152.208][6976519] response: * OK [UIDVALIDITY 5150] UIDs valid
[2016.11.21] 22:52:32 [207.253.152.208][6976519] response: * OK [UIDNEXT 1] Predicted next UID
[2016.11.21] 22:52:32 [207.253.152.208][6976519] response: * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
[2016.11.21] 22:52:32 [207.253.152.208][6976519] response: * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft)]
[2016.11.21] 22:52:32 [207.253.152.208][6976519] response: 4 OK [READ-WRITE] SELECT completed
[2016.11.21] 22:52:32 [207.253.152.208][6976519] command: 5 UID SEARCH 1:* DELETED
[2016.11.21] 22:52:32 [207.253.152.208][6976519] command: 6 UID SEARCH HEADER Message-ID <E44EC2A2DC87E047A23E1271444621680139C9ADD4@svr-exc2k10-01.rudsak.local> OR HEADER Message-ID <BN4PR07MB227527C3099A086DCA9BB301C5CE0@BN4PR07MB2275.namprd07.prod.outlook.com> OR HEADER Message-ID <BY2PR06MB471A6103D4F324A500445CEF4CE0@BY2PR06MB471.namprd06.prod.outlook.com> OR HEADER Message-ID <BY2PR06MB4714C2F6004DC16AAAB1065F4CE0@BY2PR06MB471.namprd06.prod.outlook.com> OR HEADER Message-ID <00CDAA6F-759C-42F5-B64B-30149A829871@sepaq.com> UNDELETED
[2016.11.21] 22:52:32 [207.253.152.208][6976519] command: 7 UID SEARCH HEADER Message-ID <48FBEC06-C479-4F2C-9E36-E5099BF98B15@clientdomain.com> UNDELETED
 
 
Thanks in advance!
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Manually Securing SmarterMail Using Let's Encrypt and Certify the WebSmarterMail > Installation and Configuration
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Set up Mac mail with IMAPSmarterMail > Desktop and Mobile Synchronization
Windows Mail and SmarterMailSmarterMail > Desktop and Mobile Synchronization