How to prevent Incoming Gateway from being blocked
Question asked by Scarab - July 2, 2015 at 3:36 PM
Unanswered
We have Smartermail Abuse Detection set as follows:
 
Denial of Service SMTP:  100 connections in 10 minutes Block 60 minutes
Bad SMTP Sessions (Harvesting): 30 connections in 60 minutes Block 60 minutes
 
Our SmarterMail Incoming Gateway is repeatedly being blocked by our primary SmarterMail Server lately. We are running our Incoming Gateway in SmartMail Gateway Mode.
 
Our Incoming Gateway is doing all Spam Checks on inbound email before handing it to our primary SmarterMail Server to deliver.
 
Is there a setting I should set to prevent it from being blocked by Abuse Detection rules? I assume that Whitelisting would defeat the purpose of the Gateway doing Anti-Spam checks if we did Whitelist it.
 
Weirder thing is I don't believe that it was ever getting blocked prior to upgrading to v14. Now it is happening almost every hour during peak hours (8am-4pm).
 
 

11 Replies

Reply to Thread
0
Scarab Replied
Any ideas at all? Anyone? Our Incoming Gateway is getting blocked every 7 minutes now during peak hours. I'm beginning to get desperate as I have to spend my entire day manually unblocking it from the Current IDS Blocks screen and I really don't want to roll back to v13.
0
Employee Replied
Employee Post
Hi Scarab,
 
Do you have the IP added to the "Bypass Gateways" tab on the "Antispam Administration" page?
0
Scarab Replied
Yes. I have an entry in Bypass Gateways on the Primary for both the Internal and External IPs (as I wasn't sure which SM uses) of the Incoming Gateway.

The only thing that I can think of that may be a factor is that our Primary is running SM Ent v14.0.5647 on WS2008R2 with a SHA256 Cert and our Incoming Gateway is still on SM Free v13.3.5535 on WS2003 with a SHA Cert (we are running a bit behind on getting our secondary systems upgraded to WS2012R2 waiting for new hardware to arrive from Dell). Both servers still have TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA in common.
0
User Replied
It would be whatever IP you see in the primary servers SMTP logs for connections from the incoming gateway.

There is definitely code there to skip any IDS blocks on IP's in the bypass gateways list. I'll test that to make sure it's working and get back to you.
0
User Replied
I tested that setting and it is skipping IDS blocks if the connecting IP address is in that bypass gateways list.

What do your SMTP logs say is happening for the blocked connections? For a DOS violation it would say "IP is blacklisted". For a password brute force violation it would say "IP blocked by brute force abuse detection rule".
0
Scarab Replied
Ever since I put an Event Notification on our Primary for IDS Blocks against our Incoming Gateway they have all been for "Abuse detection rule (Denial of Service) has been triggered by 207.55.232.7". The detailed SMTP Logs show dozens of the following entries every time the Abuse Detection is triggered:
 
[2015.07.13] 13:09:50 [207.55.232.7][10420181] connected at 7/13/2015 1:09:50 PM
[2015.07.13] 13:09:50 [207.55.232.7][10420181] "421 Server is busy, try again later." response returned.
[2015.07.13] 13:09:50 [207.55.232.7][10420181] IP is blacklisted
 
Below is a screenshot of our Bypass Gateways settings on our Primary SmarterMail Server [207.55.232.8] that is repeatedly blocking [207.55.232.7]:
 
Bypass Gateways
 
I can confirm that it has also triggered the Harvesting Abuse Detection "Abuse detection rule Major (EmailHarvesting) has been triggered by 207.55.232.7" on numerous occasions as well. However, this happens far less frequently (as in once in a week as opposed to once every 7 minutes for Denial of Service).
0
Matt Petty Replied
Employee Post
We have sent you a logging build in an attempt to get more information on the issue.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Colin M Replied
My gateways are also triggering EmailHarvesting when spammers are email harvesting despite being listed as both Incoming Gateways (Domain Forward) and in Bypass Gateways. This is bad since then all email from that IP is temporarily blocked.. Did you find a solution?
1
echoDreamz Replied
Was this ever addressed? We have the same issues in the latest v15 release.

Christopher

0
Scarab Replied
This was fixed in v14 for IPs that are listed in Bypass Gateways but I can confirm that it still exists in the latest v15 release with Whitelisted IPs. We have one Web Server with legacy apps that don't use SMTP Authentication that is getting blocked by IDS Rules on a daily basis.
0
echoDreamz Replied
Weird, all of our backup MX gateways always get blocked for harvesting etc. We are running the currently latest build v15.5.

Christopher

Reply to Thread