Back to Community Threads
3
How to prevent Incoming Gateway from being blocked
Question asked by Scarab - 7/2/2015 at 3:36 PM
Unanswered
We have Smartermail Abuse Detection set as follows:
 
Denial of Service SMTP:  100 connections in 10 minutes Block 60 minutes
Bad SMTP Sessions (Harvesting): 30 connections in 60 minutes Block 60 minutes
 
Our SmarterMail Incoming Gateway is repeatedly being blocked by our primary SmarterMail Server lately. We are running our Incoming Gateway in SmartMail Gateway Mode.
 
Our Incoming Gateway is doing all Spam Checks on inbound email before handing it to our primary SmarterMail Server to deliver.
 
Is there a setting I should set to prevent it from being blocked by Abuse Detection rules? I assume that Whitelisting would defeat the purpose of the Gateway doing Anti-Spam checks if we did Whitelist it.
 
Weirder thing is I don't believe that it was ever getting blocked prior to upgrading to v14. Now it is happening almost every hour during peak hours (8am-4pm).
 
 

11 Replies

Reply to Thread
0
Scarab Replied
7/13/2015 at 2:05 PM
Any ideas at all? Anyone? Our Incoming Gateway is getting blocked every 7 minutes now during peak hours. I'm beginning to get desperate as I have to spend my entire day manually unblocking it from the Current IDS Blocks screen and I really don't want to roll back to v13.
0
Employee Replied
7/13/2015 at 2:56 PM
Employee Post
Hi Scarab,
 
Do you have the IP added to the "Bypass Gateways" tab on the "Antispam Administration" page?
0
Scarab Replied
7/13/2015 at 4:20 PM
Yes. I have an entry in Bypass Gateways on the Primary for both the Internal and External IPs (as I wasn't sure which SM uses) of the Incoming Gateway.

The only thing that I can think of that may be a factor is that our Primary is running SM Ent v14.0.5647 on WS2008R2 with a SHA256 Cert and our Incoming Gateway is still on SM Free v13.3.5535 on WS2003 with a SHA Cert (we are running a bit behind on getting our secondary systems upgraded to WS2012R2 waiting for new hardware to arrive from Dell). Both servers still have TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA in common.
0
User Replied
7/13/2015 at 4:36 PM
It would be whatever IP you see in the primary servers SMTP logs for connections from the incoming gateway.

There is definitely code there to skip any IDS blocks on IP's in the bypass gateways list. I'll test that to make sure it's working and get back to you.
0
User Replied
7/14/2015 at 9:58 AM
I tested that setting and it is skipping IDS blocks if the connecting IP address is in that bypass gateways list.

What do your SMTP logs say is happening for the blocked connections? For a DOS violation it would say "IP is blacklisted". For a password brute force violation it would say "IP blocked by brute force abuse detection rule".
0
Scarab Replied
7/14/2015 at 10:24 AM
Ever since I put an Event Notification on our Primary for IDS Blocks against our Incoming Gateway they have all been for "Abuse detection rule (Denial of Service) has been triggered by 207.55.232.7". The detailed SMTP Logs show dozens of the following entries every time the Abuse Detection is triggered:
 
[2015.07.13] 13:09:50 [207.55.232.7][10420181] connected at 7/13/2015 1:09:50 PM
[2015.07.13] 13:09:50 [207.55.232.7][10420181] "421 Server is busy, try again later." response returned.
[2015.07.13] 13:09:50 [207.55.232.7][10420181] IP is blacklisted
 
Below is a screenshot of our Bypass Gateways settings on our Primary SmarterMail Server [207.55.232.8] that is repeatedly blocking [207.55.232.7]:
 
Bypass Gateways
 
I can confirm that it has also triggered the Harvesting Abuse Detection "Abuse detection rule Major (EmailHarvesting) has been triggered by 207.55.232.7" on numerous occasions as well. However, this happens far less frequently (as in once in a week as opposed to once every 7 minutes for Denial of Service).
0
Matt Petty Replied
7/14/2015 at 1:35 PM
Employee Post
We have sent you a logging build in an attempt to get more information on the issue.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
0
Colin M Replied
1/1/2016 at 9:04 AM
My gateways are also triggering EmailHarvesting when spammers are email harvesting despite being listed as both Incoming Gateways (Domain Forward) and in Bypass Gateways. This is bad since then all email from that IP is temporarily blocked.. Did you find a solution?
1
echoDreamz Replied
4/10/2017 at 4:57 PM
Was this ever addressed? We have the same issues in the latest v15 release.
0
Scarab Replied
4/10/2017 at 7:50 PM
This was fixed in v14 for IPs that are listed in Bypass Gateways but I can confirm that it still exists in the latest v15 release with Whitelisted IPs. We have one Web Server with legacy apps that don't use SMTP Authentication that is getting blocked by IDS Rules on a daily basis.
0
echoDreamz Replied
4/10/2017 at 9:27 PM
Weird, all of our backup MX gateways always get blocked for harvesting etc. We are running the currently latest build v15.5.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Sender Verification Shield and Incoming GatewaysSmarterMail > Server Configuration and Management
Find a Compromised AccountSmarterMail > Troubleshooting
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting
Configure SmarterMail as a Free Gateway ServerSmarterMail > Server Configuration and Management
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus