Reporting unusual activity based on geoip data (country) - maybe IDS rule?
Idea shared by Webio - 6/8/2020 at 3:12 AM

I would like to suggest adding new IDS rule which would detect unusual activity based on IP address (geoip - country) for protocols and webmail. For example if SMTP is being connected and authorized from different countries in short period of time then this is for sure not normal. This could end with blocking or notifying user/admin. The same for webmail/POP/IMAP .. etc. Or maybe when user is connecting only from one country and there is another connection from different country then also this could trigger user notification.

IMHO this is not a hard thing to do (like always right? :) ) but this could be very helpful in account hijacking situations.

Notification for user or admin could be configured in IDS rule. I had also idea to allow user configuring his account to be used only from one geoip zone based on IP address. For example user is sure that he will be using his account only in one country then he could limit connecting to his account using webmail or protocols only to his country or maybe even IP address in mail account settings. This would for sure allow limiting number of situations where account is being hijacked and used for spam sending.

This is just a idea but maybe someone will agree (or not) that this would be helpful.


Reply to Thread