Abuse Detection Blocking: SmarterMail is Blocking its’ Own Server
Problem reported by Steve Vibert - September 14, 2016 at 9:39 AM
Submitted
We’ve been seeing a tremendous amount of foreign IP addresses attempting to hack into our users’ email accounts.  We have strengthened our password requirements and have enabled “Password Brute Force by Protocol” Abuse Detection.  We currently allow 4 SMTP authentication attempts in 10 minutes with a “Block Time” of 60 minutes.  This has worked well in slowing down account hacking attempts.  But it’s also had the annoying side effect of blocking the SM Mail server’s default Gateway IP address when a user on our internal network forgets their password and guesses (or fat fingers) it multiple times.  When this happens, the gateway IP shows up in SMTP IDS block list and in the SMTP log with entries similar to the following:
 
11:23:21 [10.123.1.1][5107771] IP blocked by brute force abuse detection rule
 
SM is running on a server located on a DMZ (configured on a Cisco ASA 5510) with an IP addresses of 10.123.1.35.  As you might guess, bad things happen when SmarterMail blocks it’s own gateway IP address (10.123.1.1) and it can no longer send mail—not ideal.
 
Any thoughts?
 
Thanks -- Steve

8 Replies

Reply to Thread
0
Scarab Replied
Two questions for you:
 
1. What version of SmarterMail are you on?
2. Do you have your Gateway listed in SECURITY > ANTISPAM ADMINISTRATION > BYPASS GATEWAYS?
 
The reason I ask is that we had the same problem and it was resolved in v14 of SmarterMail, so long as your Gateway's IP is listed in the Bypass Gateways.
0
Steve Vibert Replied
We're running Enterprise 15.2. As it turns out I don't have any entries in Bypass Gateways. I had a look at the help file and it's still not clear to me what these entries do.

Does this effectively whitelist my gateway IP?

Thanks -- Steve
0
Scarab Replied
Steve,

Yes. When an IP is added to the Bypass Gateways then that Hop will be skipped when doing Spam Checks *AND* it effectively Whitelists that IP from IDS/Abuse Detection rules in SmarterMail.

There was a known issue with SmarterMail's IDS being triggered by IPs listed in the Bypass Gateways in 14.0.XXX but it was resolved in 14.2.XXX. (as we had to open a Trouble Ticket and work with SmarterTools over the course of 3 months to get it resolved). As our Incoming Gateways get a high amount of traffic and would otherwise get blocked for DoS every couple of minutes whenever spammers would send email to non-existent email addresses or a sender's Mail Server didn't honor "451 Greylisted: Try again in 120 seconds" responses.
0
Steve Vibert Replied
Thanks Scarab--I'll give it a try.

Steve
0
Steve Vibert Replied
Sigh. That didn't work.  Emails sent from various appliances such as our PBX and backup servers are now being blocked as spam which wasn't happening prior to adding the mail server's gateway IP to Antispam Administration>Bypass Gateway.  Here's what the (sanitized) header looks like on one of the messages:
 
Return-Path: <asterisk@mypbx.corp.mydomain.local>
Received: from BedfordPBX.corp.mydomain.local (UnknownHost [10.123.1.1]) by mail.mydomain.org with SMTP;
   Fri, 16 Sep 2016 06:54:15 -0400
Received: by BedfordPBX.corp.mydomain.local (Postfix, from userid 499)
 id A34A6221183; Fri, 16 Sep 2016 06:55:20 -0400 (EDT)
Date: Fri, 16 Sep 2016 06:55:20 -0400
From: "Bedford Voicemail Admin" <voicemail@mydomain.org>
To: "CALLOUT VOICEMAIL BOX" <CalloutsVoicemail@mydomain.org>
Subject: You Have a New Voicemail Message
Message-ID: <Asterisk-6-462795638-3390-2876@BedfordPBX.corp.mydomain.local>
X-Asterisk-CallerID: 5555551212
X-Asterisk-CallerIDName: 5555551212
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----voicemail_6339028761024212803"
X-SmarterMail-Spam: Reverse DNS Lookup, DK_None, DKIM_None
X-SmarterMail-TotalSpamWeight: 35
 
Any ideas?
 
Thanks -- Steve
1
Steve Vibert Replied
Here's something the devs might want to check:
 
A nasty side-effect of adding then removing a Bypass Gateway entry seems to be that it blows away all of the anti-spam settings.  I removed the gateway IP address on a Friday afternoon and started noticing a large increase in delivered spam on Sunday afternoon when I was checking my email.  I didn't have a chance to look further into the issue until the following day.  By the time 9AM rolled around more than a dozen staff had dropped by my office to complain about the amount of spam they were receiving.
 
Logged in as an admin, I checked our anti-spam settings and every single checkbox on the Anti Spam Administration>Spam Checks page was unchecked.  I haven't tried to duplicate the problem since it's a time consuming PITA to re-enable all of the various spam checks
 
Steve. 
0
Dominick Meccarielli Replied
I had exactly the same problem as Steve. However, I did not know what caused the problem until reading his post. Fortunately I had a backup of the spamConfig.xml, but half a day went by before I figured out my spam controls were wiped.
1
Steve Vibert Replied
Disappointingly, not a single response from SmarterTools in nearly 4 months.  Surely, a simple; "we're looking at it" or "this has been fixed in the current version" isn't too much to ask.

Reply to Thread