Anonymous User - Chines Location
Question asked by iba-labs-it - December 23, 2016 at 1:27 PM
Unanswered
Hello,
 
we are using SmarterMail 12.3 and I am a new user of SmarterMail.
 
Today I just noticed User Activity that shows two anonymous users location China Duration 18 mints, what does that mean?
 
I have also noticed that one of our user using IMAP appeared in different location in user activity Romania & Canada how could it possible ?
 
 
I will appreciate any guidance!
 
Thanks & regards 
 
 
 
Reyan

4 Replies

Reply to Thread
0
Rod Lasky Replied
Employee Post
Hi. The anonymous user simply means that someone has navigated to the SmarterMail web interface, but they're not signed in.
Rod Lasky
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
As Rod had stated, it just means someone or something is on the webmail login page but not signed in.

As far as the IMAP connection appearing in a different location, that's very concerning. To me that would indicate that someone knows that user's email PW and is using it somewhere else. I would notify that user right away and change their password to something completely different. That way you protect your mail server and the user from being blacklisted as a spammer.
0
iba-labs-it Replied
Thank you guys, for your expert valuable reply,

since anonymous user location shows Chines and we don't have any user in China, is there anyway to block this for security?

Thanks
Reyan
0
Jay Altemoos Replied
Well that's a tough question to answer. There's 2 sides to that coin, you could attempt to block the IP via Windows firewall rule, but whoever or whatever it is sitting on the page would just pick another IP an have at it again. You would be setting up rules all day long on the server.
 
Now with that said, SM does have built in security for Brute Force attempts on the webmail page. So whoever or whatever is sitting on that page is most likely attempting usernames and passwords to log into whatever account. I believe by default it's 5 or 10 attempts before the IP is blacklisted for a period of time. They will show up under Manage -> Current IDS blocks -> webmail. One of the suggestions I have is if you don't have one already, I would get a digital certificate and require https on the webmail page. That way if something is there attempting to sniff usernames and passwords, it's encrypted with the digital certificate.
 
As far as stopping the Anonymous, there's really no way to stop that.

Reply to Thread