Webmail Brute Force Defaults & Settings
Question asked by Matthew Bramble - April 23 at 5:12 PM
Answered
I'm aware that 3 1/2 months ago the settings for this were moved from web.config over to mailConfig.xml, and this is definitely something nice to have, however it only took less than 12 hours before a client locked out their entire organization from webmail using the default settings.

1) Since you are basing this on IP and not on the account being logged into, a default setting of 5 attempts is absolutely not a good default.

2) Why isn't this configurable in the IDS interface yet???

3) Why is this based on IP and not on the account being logged into?

Again, I appreciate that this was added, but the implementation has shortcomings, and it causes more real world problems than it solves out of the box as is.

1 Reply

Reply to Thread
0
Robert Emmett Replied
Employee Post Marked As Answer
Matthew, thank you for posting.  In SmarterMail 16, you can modify the mailConfig.xml and change the <LoginRetries> element to a higher number that better suits your environment.  A similar element is <LoginTimeout> which determines the block duration.
 
Regarding your second and third points, these have been already added to the SmarterMail 17 interface.  The value is configurable in the IDS blocks and it can be configured to block either by IP or by account.  We have kept the by IP to prevent attackers from attempting on all possible accounts.
 
I hope this helps,
Robert
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread