Back to Community Threads
2
Beta 7264 POP too many failed login attempts IDS blocking
Problem reported by Robert Simpson - 11/27/2019 at 8:24 PM
Submitted
After upgrading, I have at least one POP3 user being IDS blocked in spite of never having reported a bad password.  This started happening after the change to enable NTLM auth ... here's an example log:

[2019.11.27] 13:06:24.078 [47.199.53.95][58663423] +OK POP3 server ready <fb636a4e-7fbc-4710-8081-cdc504c26d2e@mysupersecretdomain.com>
[2019.11.27] 13:06:24.078 [47.199.53.95][58663423] connected at 11/27/2019 1:06:24 PM
[2019.11.27] 13:06:24.141 [47.199.53.95][58663423] CAPA
[2019.11.27] 13:06:24.141 [47.199.53.95][58663423] +OK Capability list follows
[2019.11.27] 13:06:24.219 [47.199.53.95][58663423] AUTH NTLM
[2019.11.27] 13:06:24.234 [47.199.53.95][58663423] + OK
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] Closing transmission channel: too many authentication failures from this IP
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] -ERR Too many authentication failures by this IP, closing transmission channel
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] disconnected at 11/27/2019 1:06:24 PM
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] connected at 11/27/2019 1:08:13 PM
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] "421 Server is busy, try again later." response returned.
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] IP blocked by brute force abuse detection rule
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] disconnected at 11/27/2019 1:08:13 PM
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] connected at 11/27/2019 1:13:46 PM
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] "421 Server is busy, try again later." response returned.
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] IP blocked by brute force abuse detection rule

The user had zero bad password attempts prior to this entry, and there were no retries, nothing.  It failed the user immediately on the first attempt to authenticate before even being allowed to submit credentials.

2 Replies

Reply to Thread
0
Jade D Replied
11/28/2019 at 11:57 PM
I have a ticket open about this exact same issue.
The only work around for now is to whitelist the IP or remove the IDS blocks (for us this is not an option)
Jade
0
Matt Petty Replied
12/4/2019 at 12:12 PM
Employee Post
@Jade I believe this topic is specific to the BETA version of SmarterMail, I checked and you appear to be running on a non-beta version.

@Robert, sorry I didn't see this thread earlier. Try updating to Beta 7269, we fixed an issue with NTLM authentication.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
Back to Community Threads

Reply to Thread

Related Community Threads

SmarterMail 8055 Resync FeedbackQuestion by echoDreamz - Today
IceWarp to SmarterMail ConversionQuestion by Vince - Today
Send limit in smarter mailQuestion by Vince - Today
Is there an Event for High Usage on an AccountQuestion by Vince - Today
Null sender (RFC5321.MailFrom: <>) allows DMARC bypassProblem reported by Steve Norton - Today

Related Knowledge Base Articles

Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Cannot Send Email MessagesSmarterMail > Troubleshooting
Change the Login AttemptsSmarterStats > Installation and Configuration
Configure POP for iPhone, iPad or iPod TouchSmarterMail > Desktop and Mobile Synchronization