Block SMTP/IMAP/POP login by country
Idea shared by Dave Hunter - July 4, 2017 at 7:57 AM
Proposed
It would be amazing to have an option to simply check off countries you want to completely block from being able to log in to webmail, smtp, imap and pop.
 
If you look at the IDS blocks you can see the country (location) that was blocked for password brute force by protocol etc. which means something in smartermail is already checking the IP to a country and a 3rd party tool shouldn't be needed.
 
You'd still need to be able to receive email from countries if you do business in them (although having another separate option to block email from countries would be huge too [do this too please!]), but unless a client does business in a particular country, restricting login to only your native country would be a significant security upgrade to at least only worrying about brute forces that are VPN'd in to the US/Canada etc.

8 Replies

Reply to Thread
4
This would be a huge security filter. We are having huge issues with other countries and Brute Force attacks.
1
I can confirm that we have more attacks coming from outside the US and Canada that could be easily blocked off with a method like this.
0
We use spameatingmonkey country rbl to add a score for countries with high percentage of spammers.
 
 
Here is our complete Hostname entry. bcn_ru_nl_de_ro_hk_it_ar_es_ch_co_in_il_br_ua_ir_cz_tr_kr_vn_rs.290313132.geobl.spameatingmonkey.net
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
I checked the geo rbl from spam eating monkey before and I think it was down and also don't really see it published on their website anymore. Little iffy but I did see people using it in the past. Kinda cool if it still works but would still be better to be a part of smartermail.

In addition to that, I think it would actually be better to check off the countries you DO want to be able to log in and block the rest instead of the other way around where you select all the countries to block. Could be a way to switch between on allow checked countries and block rest or block checked countries and allow rest.

Still an amazing and effective feature to have built in to smartermail directly.
0
+1 on this!
1
Would we know if this is even being considered? I think the biggest point of security is blocking the login completely from countries instead of assigning a weight to incoming or outgoing mail like spam eating monkey.
 
Stop the problems from happening in the first place. For example, I have a few domains that have bots constantly trying to brute force passwords for accounts. They first query to see if a mailbox exists, then query passwords. Their IP get's blocked and the requests just come from a different IP so the brute force attack never ends. Blocking, or perhaps checking off the allowed countries that can login is a huge security asset to minimize intrustions.
2
I agree that it would be nice to block POP/IMAP/SMTP from login attempts by GeoIP. I currently have 3000 blocks against Chinese IPs for Brute Force attempts just since installing the last SM Update last Friday! Whenever an account is actually compromised it is always Brazilian or Chilean IPs that attempt to send Spam on the compromised account. This would be a nice addition to kill two birds with one stone.
 
However, it would be just as easy (maybe easier) to block these IPs at the Firewall instead and not let them even reach SmarterMail. However, there are legitimate times that you may want to receive emails from suppliers and distributors in China or friends and relatives in Brazil but you just don't want them to be able to attempt to authenticate.
 
The only problem with GeoIP is that it changes frequently and not all changes are updated. Case in point, I had a customer last week who is in Australia and couldn't IMAP or SMTP with our Mail Services. Turns out an entire Class B IP Block that was assigned to China that we had blocked in 2014 was so abused that the Chinese sub-leased the IP Block to India in 2017 who abused it so bad that they sub-leased it to a broadband service provider in Australia sometime after our last Blacklist Audit at 2017 year end. According to GeoIP that entire Class B IP Block is still assigned by APNIC to China (and it is still on multiple RBLs including Senderbase). So GeoIP can be wrong, and frequently is. There will be problems relying solely on GeoIP...so it isn't a cure-all, but I do agree that it is better than doing it manually like we do, and would still be an improvement over Smartermail IDS as IDS doesn't stop Distributed Brute-Force attempts.
0
At the same time separate blocks for the submission ports would be nice.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP

Reply to Thread