Back to Community Threads
3
IDS Block for Brute Force attacks
Problem reported by Ng Cher Choon - 1/6/2019 at 8:08 AM
Resolved
I have observed a problem on the IDS block algorithm by latest Smartermail version. In these 2 weeks, we are facing many customer's complains about the IDS block being too strict. However, I think there are some problems in the algorithm, rather than IDS block being strict. These complains were not ever brought up in the earlier version.

In a scenario where a customer has a generic email accounts such as sales@domain.com, we faced this IDS block problem. This kind of generic account is often a good target for hackers to attack with common or easily guessable password.

After some number of attempts by the hackers, Smartermail blocks this account. As a result, our customer's generic account is affected as they were also blocked as well. When they try to login with their Outlook, they are prompted to enter a password. The unsuccessful attempts get increasing more as they try again and again with the correct password but was blocked. IDS then blocks the entire IP address of the office.

Shorter after that, the entire public IP address of the office is blocked, every email accounts in the office cannot be login as they are also blocked. In their Outlook. password keeps popping out.

This happens not only to generic accounts, it also happens to certain accounts with common name such as shirley@anotherdomain.com. Someone from another country is trying to use her name to login but was blocked by the IDS filtering after certain attempts. The rightful owner is then affected despite that her login credential is correct. As she was blocked, IDS blocks their office public IP address. In the similar light, shortly after, all emails from entire office IP could not be access as their public IP address is blocked.

What the algorithm should considered the attack using with two parameters:

  • the email account that the hacker is trying to login
  • the IP address where the email account of the hacker is using
Currently, if I am not wrong, Smartermail only considers the email account the hacker is trying to login. Hence, the problem arises when the rightful owner tries to login with the correct credential. He or she will not be able to access his or her email account due to the earlier blocked by IDS because of the hacker. 

If the two parameters are used for consideration, IDS will be more intelligent to consider where the hacker is trying to login and which account is he using. In this way, the IDS can blocked the number of attempts based on these two parameters. It will not affect the rightful owner from accessing his or her email as they are accessing the email account from another location.

Correct me if I am wrong.

6 Replies

Reply to Thread
1
echoDreamz Replied
1/6/2019 at 7:06 PM
We disabled the webmail block on email address and only use the IP-based one.
0
Gabriele Maoret Replied
1/7/2019 at 9:09 AM
Same here: We disabled the webmail block on email address and only use the IP-based one. 
0
Matt Petty Replied
1/7/2019 at 10:26 AM
Employee Post
We have a fix in place for these aggressive IDS blocks. There were cases where a connection would count against IDS even though it shouldn't which would cause erroneous blocks. Our next minor will contain this fix, the minor you have right now @echoDreamz on your system should already contain this fix.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
0
echoDreamz Replied
1/7/2019 at 11:58 AM
Matt,

Yep, we turned the IP-based IDS block for webmail back on after that update. We left the email-based webmail block disabled though.
2
Sébastien Riccio Replied
1/7/2019 at 2:49 PM
Hi,

Isn't the email based IDS blocking a problem itself ?

I mean with this turned on, anyone willing to lock your account to put you in trouble can do it from anywhere just by trying several wrong passwords for this particular mail account ? So you get more trouble than protection.

If yes, then it sounds like a pretty bad idea to have this turned on anytime.

IMHO There should be two settings:

- IDS block by IP (will lock any further attempts from the IP)
OR
- IDS block by IP AND e-mail address  (will lock any further attempts from the IP for this particular mail address, so you don't lock out all other users of your office sharing the same IP, if one person of your office keep entering a wrong password for his account)

EDIT: a possible 3rd option that may be useful against distributed IP attempts on a particular account
- IDS block by e-mail address, only if recent attempts were made from X different IP addresses like from a distributed botnet.

Just some ideas, but locks only based only e-mail address seems a non-sense.

EDIT2: I had not entirely read the original poster post and he has the same suggestions. My apologies for the dupe.
Sébastien
Sébastien Riccio System & Network Admin https://swisscenter.com
1
Employee Replied
3/13/2019 at 9:17 AM
Employee Post
The IDS rules for Brute Force by Email and Brute Force by IP can work together. It's just a matter of configuring them to work together.

Option 1: Change values
A simple solution is to simply change the default values for By IP and By Email. One way would be to decrease the number of attempts By IP to be LOWER than the By Email number. This will block the IP before the email address hits its own rule limit. You could also decrease the By IP limit and increase the By Email limit to ensure that, if you're seeing a lot of brute force attempts from multiple IPs on the same account, the account still doesn't get locked out.

Option 2: Disable By Email
Keep the By IP rules in place and disable the By Email rules. This way, IPs will continue to be blocked when there are brute force attempts, but the email account itself is never blocked. This is a good solution for cases where a particular address (or multiple addresses) are being brute forced by multiple IPs.

As an aside, we're looking at the defaults we put for each. A future build will have the By IP number smaller than the By Email number by default. That way, if both are turned on there will be some difference between the two to try and eliminate confusing and issues.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Force Traffic Over HTTPS when using a Reverse ProxySmarterMail > Server Configuration and Management
Change the Login AttemptsSmarterStats > Installation and Configuration
Spam and Security Checks for IPv6 SystemsSmarterMail > Antispam and Antivirus
Force Webmail Traffic Over HTTPSSmarterMail > Server Configuration and Management
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus