Bad SMTP Sessions (Harvesting) for SMTP
10 times in 100 minutes --- 24-Hour Block
Bounces Indicate Spammer for SMTP
10 bounces in 10 minutes --- Notify Only
Internal Spammer for SMTP
1000 message in 60 minutes --- Notify Only
Denial of Service (DOS) for IMAP, LDAP, POP, SMTP, XMPP
500 connections in 10 minutes --- 24-Hour Block
Password Brute Force by Protocol for IMAP, LDAP, POP, SMTP, XMPP
300 failures in 10 minutes --- 24-hour Block
Webmail Brute Force by Email
100 hits in 10 minutes --- 60-Minute Block
Webmail Brute Force by IP
100 hits in 10 minutes --- 60-Minute Block
Password Retrieval Brute Force
100 hits in 10 minutes --- 60-Minute Block
These have worked well for us over the years and we have tweaked them as some legit customers were being blocked. Perhaps we made them too lax. Perhaps they are too tight. Some of these settings are based on the wisdom of Bruce Barnes, a SmarterMail expert, who has passed on.
Thank you in advance for participating in this discussion.
Ron