Pop3 Abuse Detection... isn't valid
Problem reported by Merle Wait - 1/24/2019 at 9:57 AM
SmarterMail Version - 15.7.6730 
Have a client that keeps invoking:
Abuse detection rule Denial of Service - Pop 5 Min (DenialOfService) has been triggered by XXX.XXX.XXX.26 
Looked in the logs, don't see any errors or login failures
just lots of activity from this IP address (they have dozens of users)
DoS setting is at TimeFrame 5; Count =50.
So what do larger users of SM have??/
.. or do I have some other issue to determine?
I do know, that the IP address is from my client's router... so all users from the client.. look like they are coming through that one IP address.

2 Replies

Reply to Thread
Are they using SmarterMail as a webmail client or are they using outlook or even mobile devices and using their WiFi to connect ?
I am going to assume they are not using the SmarterMail web interface, but instead outlook or something mobile too.

A DoS in that context is that they have multiple accounts making connections over and over again, possibly concurrent connections.  (our POP is Time : 10, Count :300)  Some of their staff may have outlook set to check for mail every 5 minutes even every minute !  See in the logs if you have a particular user showing up disproportionately to others.

Likewise, if a single person checks 2 or 3 different accounts (like "Susie", "Marketing" and "Sales") and they have outlook set to check mail every minute, that is 3 connections per minute. 15 of your 50 used by 1 person.

When this started, did they happen to have any staff changes (like fired some staff) ?  If they have older user accounts stored in the outlook or mobile devices, and the users accounts no longer exist on smartermail, that will cause problems. (but more like a brute force attack)

www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
Merle Wait Replied
They are using email clients.. like emclient and/or Outlook
They are growing company. and yes.. they are checking their email between 5-10 minutes.

I think they are up to 25 employees.  Had asked them if they would consider using webmail, or going to imapi.. but basically got a big yawn.

So.. at the heart of what I was asking.. is their some way to whitelist their IP address specifically from Pop3 abuse
(if not in SM15.x; perhaps in SM17)

Reply to Thread