4
Smartermail - Authenticated user connecting from too many unique IP addresses
Idea shared by Tim DeMeza - 5/2/2019 at 8:45 AM
Proposed
So, I have had a users mailbox get compromised.  Obviously a password they used in too many places.  

Anyway, I have been thinking about a way to help mitigate this problem.  

At the Server / Domain / User level.  Have a setting that states.. User may only authenticate from X unique IP addresses before being throttled or shut down.  

Also, I believe we know the home country of the user based on a zip code.  I am pretty sure this is captured somewhere or we could configure it.  But maybe we could even say, Do not allow user to connect from any country other than their home country.  Or allow a list of countries a user could authenticate from.  It would be great if the user could configure that  too.  They cannot shut off their home country, but they could allow themselves to connect from another country if needed.  

Any thoughts?  Could this idea be improved?


4 Replies

Reply to Thread
0
Tony Scholz Replied
Employee Post
Hello Tim, 

What you are asking for sounds like a user|domain level IDS block list combined with a blacklist on the domain|user level as well. 

I can pass this along to see if this is viable. Just on the surface this would cause a huge issue with performance. The system would need to check ever domain and user config file before even allowing the initial SMTP connection to be made. 

Thank you
Tony Scholz System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Tony, 
No I think my issue is that most users should only connect from X unique IP addresses.  So when I login for instance.  I may be logged in on my phone and my desktop computer.  So If I were to set a limit/ maximum of 3 unique IP addresses that I can login from, then if you see a 4th coming in, we stop it or throttle it.  Especially if it is originating from a country other than the one I am logged in from the other IP addresses.  

So you would keep a list of IP addresses for each user and check a count an maybe originating country.  

I would have a hard time having my phone and desktop logged in from the USA, and then making a connection from China.  That should raise a red flag.  

Thank you,
Tim
0
Anyone have any thoughts on this one?  A little work and creativity on the good guys side will make is really hard for the bad guys.

Thanks.
0
Another tool that would save a lot of time.  Just checking to see if this is going to happen?

Reply to Thread