When an IP address is SMPT blacklisted via Web Service, it takes too long to stop threat
Problem reported by Lyle Hancock - September 4, 2015 at 2:32 PM
Resolved
We use MXRouter to do our spam filtering and take countermeasure against numerous types of hacking and abuse. MXRouter tails SmarterMail's log files to detect unauthorized login attempts among other abuses. In turn, it will blacklist a failed login via SmarterMail's web service.

The problem is when MXRouter SMTP blacklists an IP address via web services, it can take a long time before SmarterMail actually blocks the IP address, affording the perpetrator numerous more attempts as can be seen in the screenshot below. The "**** Added IP address..." message is generated after MXRouter confirms that the IP address was successfully added to SmarterMail's blacklist. Manual inspection confirms it was added too.

Not being able to stop a hacking attempt quickly seems a security vulnerability, particularly if there is a coordinated bot attack where literally thousands of login attempts will be accepted despite the IP addresses were blacklisted on the first detected attempt.
 
Is there any setting in SmarterMail that will make it more responsive to an IP address being blacklisted?
 
Screenshot

4 Replies

Reply to Thread
0
Why not just configure SMTP Blocking rules?
1
RE: "Web interface way too slow" Server operating system, SmarterMail version, number of users, server configuration, bandwidth availability, and what other applications are running on the server on which SmarterMail is installed .
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
I would ditch the SNMP protocol - downright dangerous from a security perspective. Also, test your ACTUAL bandwidth on speedtest.comcast.net - FROM THE SERVER DESKTOP, UNDER FULL LOAD, to several of the testing points, to see actual speed of your circuit - never trust claims or SLAs. Is SmarterMail setup under IIS 8 / SSL? Is SmarterMail webserver DISABLED? Is anything else running under IIS?
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
So, did disabling the internal SmarterMail IIS take care of your issue?
 
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread