Current IDS Block Table
Idea shared by Bruce Barnes - April 3, 2015 at 8:46 AM
Completed
The new IP blocking feature, introduced a few versions ago, it a great tool and we have enabled it, with great success, on both our own installation as well as the SmarterMail servers of several clients.  It does have one minor shortfall, and that is that the table exists only as long as the SmarterMail server is not rebooted.
 
If this could be incorporated into a fluid table, which is written out to a file that holds the block, based on the configuration of the blocking action, until the blocking time is expired, it would become an even better tool because the accumulated data would not simply disappear ever time it is necessary to reboot a server or perform maintenance on SmarterMail.
 
This is particularly true of those, albeit, unfortunate, ISPs who are more heavily bombarded with DDoS and Password Brute Force attacks.   I have a couple of clients in Europe who's Password Brute Force tables can grow to several hundred entries over the course of 24 to 36 hours.
 
Here's what we've setup to block, and how long we're blocking - and it works really well!
 
SmarterMail 13.3.3: DDoS, Harvesting, and Password Brute Force Rules
SmarterMail 13.3.3: DDoS, Harvesting, and Password Brute Force Rules
 
Thanks in advance for considering this new feature.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

26 Replies

Reply to Thread
2
We love this idea, Bruce, and can clearly see the value in retaining the current IDS block list between service restarts.  I have added this to our feature request list.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
2
Please also add the block initiation and expiration times.  I would also like to see an option to make any of the blocks permanent.
1
Thank you for considering this as a possible future feature.
 
We routinely get an average of 400 DoS, 400 Brute-Force, and about 24 Harvesters a day. We have been parsing an email box receiving notifications and outputting them to an XLS file to manually review daily and add the repeat offenders to the Smartermail Blacklist on all three of our servers (Primary and two Gateways). This is a really time-consuming process (although it does block anywhere from 2M-16M connections a day and reduces our Incoming Mail load by at least 50% which is why we take the time to bother). To have the ability to have blocks remain permanent, or semi-permanent (depending on preference) would be a huge time-saver for us.
0
Why you don't use <Denial of Service> and <Password Brute Force> for the POP protocol?
3
Along these lines, I'd like to see a "three strikes and your out" type of logic where if an IP address is caught repeatedly (admin defined) triggering brute force limits the offending IP goes to the perm ban list which would then require admin action to undo. I get tired of seeing DOS/brute force alerts from the same IP addresses over and over and having to make a manual ban.
3
Any further consideration on this, SmarterTools?

We just picked up a customer in France who's SmarterMail server was getting bombed by password brute force and DOS attacks, and having these tables auto-built by the attacks are great at stemming those attacks, but loosing the data when restarting the SmarterMail service, or rebooting the server, leaves them a great deal more vulnerable until the tables are rebuilt.
 
If this can be included, whether as a update to the next version of SmarterMail 14.X, or in SmarterMail 15.X, it would be a very welcome addition to a great product.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
How are you capturing the individual IP addresses?

Are they stored somewhere?
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
I'd also welcome this feature, every time we do an upgrade or restart the service we loose the whole list. Is there any update to this? We are currently using SM 14.6 and will be upgrading to 15 soon.
 
Kevin
 
Kevin McNally
Interactive Palette, Inc.
2
Nothing more I can add other than, YES, please add this feature!
0
Any decisions on this?
 
It is not nice when you lose the IDS entries after each SmarterMail upgrade (this is pretty much the only time the server is rebooted).
2
Please don't take this wrong but I cannot believe this is not in a table, xml file etc.  I did not know this.  It sure explains a lot of my frustrations I have had when having to restart the server.  Not to overly simplify this, but these developers should be able to save this to a table in their sleep at this point.  Anyway, any way this can be implemented ASAP would be appreciated. We have maintenance cycles that require reboots and this just seems like a no brainer.  I love SM but little things like this make me crazy.  Thanks for the consideration, and bump it up on the priority scale if possible.
1
Another request I would like to add is the ability to detect what IP block an IP belongs to and then stop the entire block from sending email to us.  Many times an IP will attempt abuse, and will attempt again using another IP in the neighborhood.  If I detect an IP is trying an attack, I would love the server to automatically block the entire /24 /26  or whatever block of IPs it hangs with.  I have implimented my own solution like this where IPs and /24 blocks are automatically added to my firewall when attempting to send email that matches specific top level domains, or phrases.  After a while you start to see a pattern with connections coming from specific hosting providers, data centers or countries, where you can take a huge load off your server by taking a more Nuclear option.  I know this might not be realistic for global operations, but if you are small business who does not do business outside your state, or even the USA, it could be very useful.
WhiteSites.com
Blog.whitesites.com
0
Yes. We definitely need this. As an ISP we are always getting heavily bombarded.

Better yet, how about these get enforced via a "Windows Firewall with Advanced Security" rule and scope. Then I can place my manual blocks and the IDS ones together making it easier to figure out where the block is. I would rather block it at the edge (of Windows) than after it hits the service anyhow.
0
Yes, I would also love to see this implemented. I have been trying to figure out the logic to something like this using Snort on Windows for several days.
2
Bruce started this thread on April 3, 2015 and here we are about 1 1/2 years later with the feature still not implemented. Robert Emmett of SmarterTools liked the idea so much that he responded with agreement  8 MINUTES after the original post. Again, that was 1 1/2 years ago.
 
So really, what's the big deal with allocating a few developer hours towards getting this implemented?
0
Seeing how much of a big deal email security has been over the past year due to national security et. al., I'd think that enhancing IDS features, such as described here, would have been implemented by now as low hanging fruit.
0
Yea, I just migrated any non-US IP addresses from my IDS to my Windows Firewall as blocks. I do that before an upgrade, and sometimes in between to make it persistent. I have a somewhat streamlined process in place to do this, and it had been about 6 weeks since the last time I did it. It took 2 hours.
0
I personally would like the ability to limit the IPs or hostnames that are allowed to authenticate for specific domains and or users.  I have clients who have offices with static IPs, and would like their employees to only check email from the office and not from home.  Then be able to setup rules in which any IP that attempts to authenticate to a domain or user that is locked down is immediately firewalled.  
WhiteSites.com
Blog.whitesites.com
0
I am finding bots that are getting pretty smart and stay under your suggested abuse detection threshholds. Its gotten to the point where if I see specific hostnames, or attempt to access specific user accounts that don't exist I am automatically firewalling them. To anyone who doesn't take this seriously. check your SMTP logs for the word "failed"
WhiteSites.com
Blog.whitesites.com
1
Hi everyone,
 
I'm happy to report that I am changing this thread from Under Consideration to Planned. A future version of SmarterMail will include persistent IDS blocking. I don't have more details at the moment, but please stay tuned for updates! 

Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278

www.smartertools.com

0
Thatta' way Andrea!
0
HI Andrea,

While it is great that this is getting changed from Under Consideration to Planned, we were promised this feature would be in Version 16. Version 16 is here now, and this feature is not. Furthermore "a future version of SmarterMail" implies we will not be getting it until at least Version 17 if not later.

This is pretty typical of SmarterMail feature promises to keep getting pushed out, and it is one of the things you can see complained about frequently in these forums. I chose to allow my upgrade protection to lapse in December because I suspected this would happen with more than one of the promised Version 16 features. Thank you for validating that I made the proper decision to not give you any more money until the promises are kept.
1
I have some fantastic news! You will be seeing this feature in the next BETA build of SmarterMail 16!
Sneak Peak!
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Is there going to be a simple way ( A button in a grid ) that we can convert to a permanent block? I also believe that it would be great to store all IP's even after the expiration, that way you can store a count as well. In other words, update the expired record, increment a block counter, and update the expiration date. It would be handy to know that this specific IP has been blocked 12 times. Then it makes perfect sense to make it a permanent block.
0
Just please remember that if a person gets locked out of the webmail interface, we have no way to clear that currently from the IDS controls. I believe this is because the user is blocked rather than the IP address. Right now the only way to clear that block is to restart the SmarterMail service, and if the blocks become persistent, we MUST HAVE a way to clear that block from the GUI.
0
Hello Bruce, its great feature... but i have one query that can we stop the rules for time being or disable IDS services for time being

Reply to Thread