I have observed a problem on the IDS block algorithm by latest Smartermail version. In these 2 weeks, we are facing many customer's complains about the IDS block being too strict. However, I think there are some problems in the algorithm, rather than IDS block being strict. These complains were not ever brought up in the earlier version.
In a scenario where a customer has a generic email accounts such as email@example.com,
we faced this IDS block problem. This kind of generic account is often a good target for hackers to attack with common or easily guessable password.
After some number of attempts by the hackers, Smartermail blocks this account. As a result, our customer's generic account is affected as they were also blocked as well. When they try to login with their Outlook, they are prompted to enter a password. The unsuccessful attempts get increasing more as they try again and again with the correct password but was blocked. IDS then blocks the entire IP address of the office.
Shorter after that, the entire public IP address of the office is blocked, every email accounts in the office cannot be login as they are also blocked. In their Outlook. password keeps popping out.
This happens not only to generic accounts, it also happens to certain accounts with common name such as firstname.lastname@example.org
. Someone from another country is trying to use her name to login but was blocked by the IDS filtering after certain attempts. The rightful owner is then affected despite that her login credential is correct. As she was blocked, IDS blocks their office public IP address. In the similar light, shortly after, all emails from entire office IP could not be access as their public IP address is blocked.
What the algorithm should considered the attack using with two parameters:
- the email account that the hacker is trying to login
- the IP address where the email account of the hacker is using
Currently, if I am not wrong, Smartermail only considers the email account the hacker is trying to login. Hence, the problem arises when the rightful owner tries to login with the correct credential. He or she will not be able to access his or her email account due to the earlier blocked by IDS because of the hacker.
If the two parameters are used for consideration, IDS will be more intelligent to consider where the hacker is trying to login and which account is he using. In this way, the IDS can blocked the number of attempts based on these two parameters. It will not affect the rightful owner from accessing his or her email as they are accessing the email account from another location.
Correct me if I am wrong.