Current IDS blocks - webmail?
Question asked by Jay Altemoos - 10/10/2016 at 1:19 PM
So looking at the Current IDS blocks section in SmarterMail 14.5.5907, I see there's a section for webmail listed. How do you specify a rule for this? I went into the Security section and went to Abuse Detection but the only options I get for Brute Force Password is SMTP, POP, XMPP, and LDAP. Even checking the other report options for DOS, etc. never mention webmail at all. Is this already hard coded in so that if someone was attempting brute force on the webmail login SM takes care of it? Or is there something I am missing? I am using IIS for SM and not the built in web engine. Not sure if that has anything to do with it, but I doubt it.

7 Replies

Reply to Thread
Employee Replied
Employee Post Marked As Answer
Hi Jay.  Webmail brute force attempts are hard-coded in the Web.CONFIG file at C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\
Search for "Login.BruteForceDetection.TriesBeforeBlock"
Jay Altemoos Replied
Thanks for the speedy reply Rod. I appreciate it. I will check it out.
Bruce Barnes Replied
Be nice to have this rule moved into the section with the other rules. Easier to monitor, modify, and much less likely to cause confusion when modifications get overwritten during upgrades of al types.
Bruce Barnes
ChicagoNetTech Inc

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
I checked this ,but changing those numbers seems to have no effect. Still users get blocked after 5 failed logins.
Jay Altemoos Replied
Hi Mohammadreza. If you changed a value in the XML file that Rod posted about, you will need to restart the SmarterMail service for this change to take affect. All values in XML files are stored in memory and only read when the service is restarted. If you didn't restart the SmarterMail service then that's why the value change never took affect.

In Windows you can find the service under: Services.MSC -> SmarterMail Service

I hope this helps.
Thanks Jay, I changed the values in the Web.config file and restarted the service. I also restarted the whole server but still users get blocked after 5 attempts !
Is there any other file I should change ?
Jay Altemoos Replied
What version of SmarterMail are you running? We are currently running version 15.7.6474 on our server. I currently have Login.BruteForceDetection.TriesBeforeBlock set to "10" in the config file. I just tested mine and it does block on 10 attempts and not the default 5. There should only be 1 entry for you to change. The other one I believe has to do with forgot password, which is ForgotPassword.BruteForceDetection.TriesBeforeBlock. Both of mine I have set to 10. Can you verify that the change saved?

Reply to Thread