Just a little more log info for blacklisted connections.
Idea shared by Opt-Out - 11/16/2014 at 5:57 PM
The day you added the connect-disconnect log entries for connections blocked by blacklisting was indeed a great day. It would be an even greater day if the "disconnected at..." log entry was changed to something like "disconnected by blacklist at...".
If there is already a way to search log files for blacklisted disconnects just let me know, I didn't see it.
Thank you!

9 Replies

Reply to Thread
I'd have to agree with this one.  I blacklisted one of my own IP Addresses just to test.  It blocked my SMTP attempt from that IP Address but the only information logged in the SMTP log is:
[2014.11.17] 17:30:37 [70.x.x.x][1075541] connected at 11/17/2014 5:30:37 PM
[2014.11.17] 17:30:37 [70.x.x.x][1075541] disconnected at 11/17/2014 5:30:37 PM
I think there should be a line added to the SMTP log indicating that the connection was blocked because the IP Address is on the Blacklist.
Employee Replied
Employee Post
We have implemented additionally log information for SMTP, POP, IMAP, and XMPP disconnects due to blacklisting.  For example, the log will reflect the following:
[2014.11.18] 08:27:10 [70.x.x.x][56396980] connected at 11/18/2014 8:27:10 AM
[2014.11.18] 08:27:10 [70.x.x.x][56396980] on blacklist; dropping session...
[2014.11.18] 08:27:10 [70.x.x.x][56396980] disconnected at 11/18/2014 8:27:10 AM
It should be in the next minor release of SM 13.
Great news!
Very good
My blacklist is empty. Yet I see these messages in my POP log. Which feature of SmarterMail determined it was on a blacklist? What blacklist caused this?
Also, when I use Wireshark to capture the packets, the message that the client software gets is "421 Server is busy, try again later.". Shouldn't some reference to the error message that is sent to the client software be in the log to help track these errors down? Example: "disconnected at 11/18/2014 8:27:10 AM with 421 Server is busy, try again later."
Employee Replied
Employee Post
Scott, any IP that violates the Abuse Detection policies automatically is added to the temporary blacklist (found under System Admin | Manage | Current IDS Blocks).  This is probably the reason why you are seeing this in the log without any permanent entry under Security | Blacklist.
I am new to email servers with Smartermail 13 and have set up Smartermail using the ChicagoNet suggestions. Checking my SMTP logs I was seeing my own IP (webserver and email on the same IP) trying to authenticate live email addresses. Checking the ids block I also find my own IP indicated as DOS and Brute Force. 
I have checked the Online Users in User Activity and I find IP's from China and me as system admin. I don't have any Chinese users, in fact there are only 36 users in total. The IP my be spoofed from Baidu the Chinese search engine so I have blacklisted their entire IP range as a trial.
Initially the server SMTP logs showed thousands of rejections which were blacklisted so I thought I had resolved the issue. Now I am not so sure as checking the IDS Blocks I find my IP address in there again.
I just found this.
This is awesome !
Question. We are using
  • SmarterMail Enterprise Edition
  • Version 14.4.5801
I am looking at the "view logs" section. As it hits each blacklist i am showing the logs say ""421 Server is busy, try again later." response returned."
Try again later ? is that the equivalent of a grey listing ?
Or can we get it to return a dead like 404, server not found or no recipient or something ?

www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. in 2018, in just one year, we gave away 1,000 Free Computers !

Reply to Thread