2
Anyone else's SmarterMail server(s) under attack?
Question asked by Michael Muller - 11/22/2020 at 8:14 AM
Unanswered
I'm running SM Build 7523 (Aug 6, 2020) on a Windows 2008 Server with 32GB RAM, four processors and two RAID5 2TB drives for about 450 clients. Plenty of speed and space. However, the server has been crashing for the past couple days, caused by memory usage going through the roof (90% and higher), and has been super-sluggish the past week. Looking at the logs I can see we're under DOS and other brute force attacks from Russia and Poland. Mostly Russia. I've added three /24 subnets to my blacklist, as well as a few others, but that has only been a temporary fix.

So, is anyone else experiencing this, and if so what did you do to ameliorate the problem.

Here's my Settings > Security > IDS Rules. Any thoughts or suggestions?


Here's my Blacklist:

---
Montague WebWorks
Powered by RocketFusion

12 Replies

Reply to Thread
0
Michael Muller Replied
Here's my Reports > Security page charts for the past week:
---
Montague WebWorks
Powered by RocketFusion
0
Chris Daley Replied
We have observed an increase in attempts from Russia over the past week however this has not affected performance. We don't use a SMTP DoS rule though, only password brute force for smtp (time frame = 20mins, threshold = 5, block time = 1440).

A number of customers have received targeted smartermail spam emails in the past week as well, basically telling them their pop/imap settings need updating to keep using smartermail. So someone has identified the domain uses SM for email.
0
Michael Muller Replied
Looking for the command line script to restart SM if memory usage goes above 80%. Could be a quick temporary fix until I figure out a better solution.
---
Montague WebWorks
Powered by RocketFusion
0
Chris Daley Replied
Have you tried upgrading? we are currently on 7611, no issues that I'm aware of (not using exchange functionality though)
0
Ron Raley Replied
We block for 24 hours if SMTP DOS is triggered.

Your settings only keep them away for 2 hours. They may be coming right back and hitting your server over and over.

Ron
0
echoDreamz Replied
Same, we block for 24 hours. We always have 1000+ blocked IPs in our IDS section (mainly on SMTP).
0
Michael Muller Replied
Ah.
---
Montague WebWorks
Powered by RocketFusion
0
Montague WebWorks Replied
I've got lots of blocks, and memory still over-consumed...


Mik MullerMontague WebWorks
0
Montague WebWorks Replied
Mik MullerMontague WebWorks
0
Montague WebWorks Replied
Memory up to 85% and server is now unresponsive, again. I can't get to "Services" and clicking "End Process" does nothing. Just rebooted two hours ago.

Is there a way to limit the amount of RAM SM uses, so the OS can still operate if SM is maxed?
Mik MullerMontague WebWorks
2
Ron Raley Replied
I would recommend upgrading to 7619. The community indicates that this is a very stable version.

If the issue still exists afterwards, let SmarterTools have a look at it. They have diagnostic tools to view exactly what mailservice.exe is doing.

Ron
1
Montague WebWorks Replied
Turns out there were some corrupted json and grp files, since Friday morning. This happened around the same time we started to get pummeled by hackers from Russia and China, so, a bit of a goose chase. In any event, we are restoring those few files and are now back up.
Mik MullerMontague WebWorks

Reply to Thread