I can confirm that we have more attacks coming from outside the US and Canada that could be easily blocked off with a method like this.

We use spameatingmonkey country rbl to add a score for countries with high percentage of spammers.

 

 

Here is our complete Hostname entry. bcn_ru_nl_de_ro_hk_it_ar_es_ch_co_in_il_br_ua_ir_cz_tr_kr_vn_rs.290313132.geobl.spameatingmonkey.net

Would we know if this is even being considered? I think the biggest point of security is blocking the login completely from countries instead of assigning a weight to incoming or outgoing mail like spam eating monkey.

 

Stop the problems from happening in the first place. For example, I have a few domains that have bots constantly trying to brute force passwords for accounts. They first query to see if a mailbox exists, then query passwords. Their IP get's blocked and the requests just come from a different IP so the brute force attack never ends. Blocking, or perhaps checking off the allowed countries that can login is a huge security asset to minimize intrustions.

I agree that it would be nice to block POP/IMAP/SMTP from login attempts by GeoIP. I currently have 3000 blocks against Chinese IPs for Brute Force attempts just since installing the last SM Update last Friday! Whenever an account is actually compromised it is always Brazilian or Chilean IPs that attempt to send Spam on the compromised account. This would be a nice addition to kill two birds with one stone.

 

However, it would be just as easy (maybe easier) to block these IPs at the Firewall instead and not let them even reach SmarterMail. However, there are legitimate times that you may want to receive emails from suppliers and distributors in China or friends and relatives in Brazil but you just don't want them to be able to attempt to authenticate.

 

The only problem with GeoIP is that it changes frequently and not all changes are updated. Case in point, I had a customer last week who is in Australia and couldn't IMAP or SMTP with our Mail Services. Turns out an entire Class B IP Block that was assigned to China that we had blocked in 2014 was so abused that the Chinese sub-leased the IP Block to India in 2017 who abused it so bad that they sub-leased it to a broadband service provider in Australia sometime after our last Blacklist Audit at 2017 year end. According to GeoIP that entire Class B IP Block is still assigned by APNIC to China (and it is still on multiple RBLs including Senderbase). So GeoIP can be wrong, and frequently is. There will be problems relying solely on GeoIP...so it isn't a cure-all, but I do agree that it is better than doing it manually like we do, and would still be an improvement over Smartermail IDS as IDS doesn't stop Distributed Brute-Force attempts.

Just bumping this because every day reviewing my IDS Blocks I still dream of being able to completely stop any LOGIN attempts to SMTP, POP, IMAP, etc. unless they come from a whitelisted country of my choosing.

Unless it comes from a pre-approved/whitelisted country (likely just Canada and the US for us) block it from going forward entirely. If an IP's country is unknown (or perhaps times out on checking the IP) let it through and the normal spam and abuse checks will progress as they already do but hot damn this could be amazing for prevention in compromised email accounts.

I do this at the firewall rather than within SM. This has resulted in the rare problem where legitimate mail originating from a blocked country couldn't reach the intended recipient.

Matthew, is that for authenticating outgoing SMTP or is your method intended to reduce incoming spam from other countries?

Hi Dave, I should have been more clear. Sorry. The goal was really to try and reduce spam levels by both blocking whole networks that are highly unlikely to be sources of legitimate mail, and using a DNSBL service to prevent known bad IP addresses from hitting SMTP. It hasn't been the panacea I had hoped for but it has made some difference.

Oh no worries, I thought I could be mistaken too!

Known bad IP addresses would still likely be a much smaller list than outright blocking non whitelisted countries from authenticating, however you're right that there could be rare cases where someone is travelling outside of north america in which case a bit of customization within Smartermail could be useful instead of a nuclear block from the firewall.

Not sure if anyone has any ideas that could help SmarterTools discuss on their end such as perhaps an option for users and admins being able to turn on a "travel mode" in which case it could let connections authenticate or maybe outgoing email gets sent to the spam quarantine for review? I just think if it was within Smartermail itself, it could be flexible and easy to manage within a GUI for even users (they could have access to the whitelisted countries to manage themselves if admin's allow that functionality for domain admins and/or users).

Just something I think could really help prevent email accounts from being compromised!

Years ago I proposed some filtering logic for SM which would permanently blacklist an IP address after x repeated attempts of x number of failed authentication attempts. We all have customers that forget their passwords resulting in temporary abuse blocks, but if one were to examine their SMTP logs in detail, they'd see various IP addresses attempting to authenticate to many local accounts over and over, and they come back after the temp SMTP bans expire. Also, the probes often seem to learn what the temp ban threshold is and then try to reduce the authentication attempts to thwart the response.