We love this idea, Bruce, and can clearly see the value in retaining the current IDS block list between service restarts.  I have added this to our feature request list.

Please also add the block initiation and expiration times.  I would also like to see an option to make any of the blocks permanent.

Thank you for considering this as a possible future feature.

 

We routinely get an average of 400 DoS, 400 Brute-Force, and about 24 Harvesters a day. We have been parsing an email box receiving notifications and outputting them to an XLS file to manually review daily and add the repeat offenders to the Smartermail Blacklist on all three of our servers (Primary and two Gateways). This is a really time-consuming process (although it does block anywhere from 2M-16M connections a day and reduces our Incoming Mail load by at least 50% which is why we take the time to bother). To have the ability to have blocks remain permanent, or semi-permanent (depending on preference) would be a huge time-saver for us.

Along these lines, I'd like to see a "three strikes and your out" type of logic where if an IP address is caught repeatedly (admin defined) triggering brute force limits the offending IP goes to the perm ban list which would then require admin action to undo. I get tired of seeing DOS/brute force alerts from the same IP addresses over and over and having to make a manual ban.

 

I'd also welcome this feature, every time we do an upgrade or restart the service we loose the whole list. Is there any update to this? We are currently using SM 14.6 and will be upgrading to 15 soon.

 

Kevin

 

Nothing more I can add other than, YES, please add this feature!

Any decisions on this?

 

It is not nice when you lose the IDS entries after each SmarterMail upgrade (this is pretty much the only time the server is rebooted).

Another request I would like to add is the ability to detect what IP block an IP belongs to and then stop the entire block from sending email to us.  Many times an IP will attempt abuse, and will attempt again using another IP in the neighborhood.  If I detect an IP is trying an attack, I would love the server to automatically block the entire /24 /26  or whatever block of IPs it hangs with.  I have implimented my own solution like this where IPs and /24 blocks are automatically added to my firewall when attempting to send email that matches specific top level domains, or phrases.  After a while you start to see a pattern with connections coming from specific hosting providers, data centers or countries, where you can take a huge load off your server by taking a more Nuclear option.  I know this might not be realistic for global operations, but if you are small business who does not do business outside your state, or even the USA, it could be very useful.

Bruce started this thread on April 3, 2015 and here we are about 1 1/2 years later with the feature still not implemented. Robert Emmett of SmarterTools liked the idea so much that he responded with agreement  8 MINUTES after the original post. Again, that was 1 1/2 years ago.

 

So really, what's the big deal with allocating a few developer hours towards getting this implemented?

Seeing how much of a big deal email security has been over the past year due to national security et. al., I'd think that enhancing IDS features, such as described here, would have been implemented by now as low hanging fruit.

Yea, I just migrated any non-US IP addresses from my IDS to my Windows Firewall as blocks. I do that before an upgrade, and sometimes in between to make it persistent. I have a somewhat streamlined process in place to do this, and it had been about 6 weeks since the last time I did it. It took 2 hours.

I personally would like the ability to limit the IPs or hostnames that are allowed to authenticate for specific domains and or users.  I have clients who have offices with static IPs, and would like their employees to only check email from the office and not from home.  Then be able to setup rules in which any IP that attempts to authenticate to a domain or user that is locked down is immediately firewalled.  

Hi everyone,

 

I'm happy to report that I am changing this thread from Under Consideration to Planned. A future version of SmarterMail will include persistent IDS blocking. I don't have more details at the moment, but please stay tuned for updates! 

I have some fantastic news! You will be seeing this feature in the next BETA build of SmarterMail 16!
Sneak Peak!