Adding "View Log" to IDS Blocks, and passing in Country when sending to Blacklist
Idea shared by Montague WebWorks - 12/7/2020 at 1:36 PM
Recently we had some issues with a barrage of hacking attempts against our server, and in response we tightened up our IDS Block settings, which is now capturing many false-positives from local customers who operate from a single building with multiple devices.

What would be great is if we could right-click on a captured IP to see the list of infractions that lead to being blocked. Sure, I can see that there's an IMAP DoS, but, were those IMAP sessions successful, and simply multiple people in one office all checking their email at the same time? I mean, 30 employees in one building (one IP) with both desktop and smartphones each could easily accidentally sync their email-checking times and trigger something. If I could see that this particular episode was real, I could tweak my settings. I would also know if this was just one frantic client and I could call them and fix their issue.

Looking at the two IDS Block records, below, it appears this IP number tripped the "IMAP Password Brute Force by Protocol" a half-hour ago, and 23 minutes later it tripped the IMAP DoS. Probably someone was checking checking checking their email because their password was incorrect and no new email was coming in. Of course, I'm just guessing at this behavior.

In any event, clearly SM is keeping track of stuff, and potentially could grab that grep or whatever triggered the block and paste it into a variable we could scrutinize. Right-click "View Log."

Until then, we're kind of flying blind, or are subject to dropping to the server and searching through logs.


                                                          23:53:10                                           United States                                            IMAP                                            Denial of Service (DoS)                                            Default IMAP DoS                     
                                                          23:30:02                                           United States                                            IMAP                                            Password Brute Force by Protocol                                            Default IMAP brute force                     
Mik MullerMontague WebWorks

2 Replies

Reply to Thread
Additionally, when we right-click on an IP number in the IDS Blocks and select Blacklist, can you pass in the Country and maybe also date when naming the new Blacklist entry?
Mik MullerMontague WebWorks
Gabriele Maoret - Head of SysAdmins at SERSIS
Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)

Reply to Thread