Please Share your IDS Rules and Logic to Help Everyone
Question asked by Ronald Raley - 9/8/2020 at 10:59 AM
Unanswered
Bad SMTP Sessions (Harvesting) for SMTP
10 times in 100 minutes --- 24-Hour Block

Bounces Indicate Spammer for SMTP
10 bounces in 10 minutes --- Notify Only

Internal Spammer for SMTP
1000 message in 60 minutes --- Notify Only

Denial of Service (DOS) for IMAP, LDAP, POP, SMTP, XMPP
500 connections in 10 minutes --- 24-Hour Block

Password Brute Force by Protocol for IMAP, LDAP, POP, SMTP, XMPP
300 failures in 10 minutes --- 24-hour Block

Webmail Brute Force by Email
100 hits in 10 minutes --- 60-Minute Block

Webmail Brute Force by IP
100 hits in 10 minutes --- 60-Minute Block

Password Retrieval Brute Force
100 hits in 10 minutes --- 60-Minute Block

These have worked well for us over the years and we have tweaked them as some legit customers were being blocked.  Perhaps we made them too lax.  Perhaps they are too tight.  Some of these settings are based on the wisdom of Bruce Barnes, a SmarterMail expert, who has passed on.

Thank you in advance for participating in this discussion.
Ron

Reply to Thread