2
Beta 7264 POP too many failed login attempts IDS blocking
Problem reported by Robert Simpson - 11/27/2019 at 8:24 PM
Submitted
After upgrading, I have at least one POP3 user being IDS blocked in spite of never having reported a bad password.  This started happening after the change to enable NTLM auth ... here's an example log:

[2019.11.27] 13:06:24.078 [47.199.53.95][58663423] +OK POP3 server ready <fb636a4e-7fbc-4710-8081-cdc504c26d2e@mysupersecretdomain.com>
[2019.11.27] 13:06:24.078 [47.199.53.95][58663423] connected at 11/27/2019 1:06:24 PM
[2019.11.27] 13:06:24.141 [47.199.53.95][58663423] CAPA
[2019.11.27] 13:06:24.141 [47.199.53.95][58663423] +OK Capability list follows
[2019.11.27] 13:06:24.219 [47.199.53.95][58663423] AUTH NTLM
[2019.11.27] 13:06:24.234 [47.199.53.95][58663423] + OK
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] Closing transmission channel: too many authentication failures from this IP
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] -ERR Too many authentication failures by this IP, closing transmission channel
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] disconnected at 11/27/2019 1:06:24 PM
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] connected at 11/27/2019 1:08:13 PM
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] "421 Server is busy, try again later." response returned.
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] IP blocked by brute force abuse detection rule
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] disconnected at 11/27/2019 1:08:13 PM
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] connected at 11/27/2019 1:13:46 PM
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] "421 Server is busy, try again later." response returned.
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] IP blocked by brute force abuse detection rule

The user had zero bad password attempts prior to this entry, and there were no retries, nothing.  It failed the user immediately on the first attempt to authenticate before even being allowed to submit credentials.


2 Replies

Reply to Thread
0
Jade D Replied
I have a ticket open about this exact same issue.
The only work around for now is to whitelist the IP or remove the IDS blocks (for us this is not an option)
0
Matt Petty Replied
Employee Post
@Jade I believe this topic is specific to the BETA version of SmarterMail, I checked and you appear to be running on a non-beta version.

@Robert, sorry I didn't see this thread earlier. Try updating to Beta 7269, we fixed an issue with NTLM authentication.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread