Webmail brute force lockout management
Question asked by Chris Cato - 12/22/2017 at 9:26 AM
Is there any way to manage the webmail login failure lockout?  I'm aware of the Login.BruteForceDetection.TriesBeforeBlock key in web.config but I'm hoping there are some more options to give us some flexibility in responding.  We have a fairly large client that is regularly locking their entire organization out of webmail when a user can't remember their password.  It would be helpful if we could lockout only the user's account or at least whitelist their IP.  
Additionally, is there a way to release the lockout without restarting the SmarterMail service?  
Chris Cato

6 Replies

Reply to Thread
Robert Emmett Replied
Employee Post
What version on SmarterMail are you using? In SM 16, there is a Unblock option for IDS blocks.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
Chris Cato Replied
Thanks for the reply Robert. We are running v16.3.6540 on this server (Windows 2008 R2). There is a Webmail section under Manage - > IDS Blocks but the blocked IP never appears there so there is no way to remove the block. I've tried setting the value of TriesBeforeBlock to 1000 but the block always happens after 10 login failures even after service restarts. This client has 400+ users all connecting to Webmail from a single IP. One or two forgetful users can lockout the entire organization. Based on the Adminstrative log in MRS/App_Data/Logs each subsequent login attempt from the blocked IP raises the failed tries count so the block is extended indefinitely. Our only effective response so far has been to restart the SmarterMail service each time this occurs.
We have the same problem. is there any update on this ?
Chris did you manage to solve your problem ?
Chris Cato Replied
Mohammadreza - SmarterTools provided us with a custom build that allowed us to modify or disable the lockout behavior with settings in /Service/mailConfig.xml. They informed us these changes would be in the next maintenance release of SmarterMail. We have not yet evaluated it but based on the release notes it appears that v16.3.6585 and later does support this. Best of luck with your issue!
Chris , this fixed our problem. thank you very much. it was a great help.
Joe Dellaragione Replied
I am on 16.3.6592 and I am having some issues with the Web BF detection.

in \MRS\Web.config I set to TEST 10 tries before block and block for 60 minutes. Saved the file, restarted the service.

Now after 5 attempts I get "Too many login attempts. Try again later."

If I keep trying to login 5 mote times to equal the 10 times to trigger the IDS block nothing ever happens, I do not see an IDS block on the dachboard, and I don't get an event email.

This is good that it does not allow more than 5 back webmail attempts BUT where is this 5 count coming from, how do I edit it, and how do I get it to send me a notification?

Reply to Thread