2
false IDS block problem
Question asked by Arvin Biricik - December 9, 2016 at 6:57 AM
Unanswered
Hi everyone!

I want to ask a quick question. This might be too basic for you guys. Excuse me if it is...

I have this "denial of service" rule for "POP". 
Some legit IPs that I know are not abusing the server are falsely getting blocked by this rule.
When I check the logs I see these all over the place before the block:
[2016.12.09] 12:08:50 [88.230.120.240][30585100] connected at 12/9/2016 12:08:50 PM
[2016.12.09] 12:08:50 [88.230.120.240][30585100] AUTH
[2016.12.09] 12:08:50 [88.230.120.240][30585100] -ERR Invalid command
[2016.12.09] 12:08:50 [88.230.120.240][30585100] USER z.denasc@dascas.com
[2016.12.09] 12:08:51 [88.230.120.240][30585100] PASS XXXX
[2016.12.09] 12:08:51 [88.230.120.240][30585100] z.denasc@dascas.com logged in
[2016.12.09] 12:08:51 [88.230.120.240][30585100] STAT
[2016.12.09] 12:08:51 [88.230.120.240][30585100] +OK 0 0
[2016.12.09] 12:08:52 [88.230.120.240][30585100] QUIT
and this is the block happening:
[2016.12.09] 12:25:02 [88.230.120.240][42869402] connected at 12/9/2016 12:25:02 PM
[2016.12.09] 12:25:02 [88.230.120.240][42869402] "421 Server is busy, try again later." response returned.
[2016.12.09] 12:25:02 [88.230.120.240][42869402] IP is blacklisted
[2016.12.09] 12:25:02 [88.230.120.240][42869402] disconnected at 12/9/2016 12:25:02 PM
 
As you can see what ever the users mail client is sending it is seen as an "invalid command" by smarter mail.
Can I ask what is wrong with this command? How can me or users prevent/correct this?
 
I will be glad to have your advice.
 
Thanks in advance.
Arvin

Reply to Thread