Remembering Expired IDS Blocks
Idea shared by Montague WebWorks - 7/28/2021 at 9:48 AM
I have my IDS Block set up to email me whenever an IP appears in my IDS Blocks list, and have left those emails in my mailbox for a few weeks to see if any of the IP numbers reappear, and lo and behold, some do.

My suggestion is to database all IDS Blocks for future reference. If we don't log in and deal with a particular blocked IP and the temporary block expires and they come back, SM should see that they've been here before and maybe have a second tier period of blocking. If they come back a third time, block them for good. Something along those lines.

Any thoughts?
Mik MullerMontague WebWorks

8 Replies

Reply to Thread
It would be useful if the expired blocks remained present, even after refresh, perhaps just showing 0 time left  - until manually deleted.  It could be an optional setting.  This would allow catching repeat offenders, and offenders with closely related IP's.
Current configuration on my incoming gateway:
IDS block after 1 SMTP AUTH failure:   37267 minutes (22 days)

Once an address is in the IDS block, it is easy to convert them to permanent blocks (in groups of 200).  For awhile, I was doing that, and collected 4700+ entries.   But 4700 entries out of 4 billion is still a small subsection, and I never saw sufficient density to consolidate offenders into subnets.   Consolidating would also have been very tedious.  

Based on someones recommendation in this forum, I have just been letting the IDS blocks run out.   I am assuming (hoping) that repeat offenders will have their timeouts restarted every time that they try again.

With this configuration, I always have over 1000 active IDS blocks.
It would be very useful to have a list of current and past offenders, maybe even with a count on how many they tried again. This list should be exportable to CSV so we can also import them to our firewall.
Hopefully you can retieve IDS blocks and Blacklist addresses using the REST API.  Then you could populate your own database or firewall.  

We used this approacb with a previous incoming gatewau device.  Any SMTP AUTH failure triggered a firewall rule to block all ports for the related /24 subnet.  (No database component thoughj.)  Have not yet recreated it with tbe SmarterMail gateway.  No known problems from generalizing the one address to an entire subnet, but your results may vary.
We are not programmers and do not want to use the APIs. A menu or submenu where the IDS already is, with a list of current blocked IPs, plus previous blocked IPs and the hit count, with the possibility to download them in a CSV or any other type of file - that is what would benefit anyone. Now, if someone wants to take this to a next level, then sure, this list should also be retrievable via the REST APIs.
... and potentially importable into other SM customer's Blacklists
Mik MullerMontague WebWorks
Kyle Kerst Replied
Employee Post
The blacklist can be imported/exported to/from SmarterMail environments as desired. The IDS list is a temporary block list as designed, as most crackers/spammers rotate through IPs regularly to avoid detection. If you are able to confirm a particular IP is seen on this list more often than not, adding it to the blacklist (under Settings>Security>Blacklist) is the recommended way to prevent further connectivity from the IP. Once you have a good-sized list of blocked IPs, you can use ...>Export Blacklist to bring that configuration into all of your other SmarterMail environments. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
Please don't leave expired blocks in the list. This would be problematic to large and busy servers. I have anywhere between 800 and 1500 items in my IDS at any given time. When the list grows beyond about 1700 it starts to slow down processing significantly. Leaving expired blocks would create multiple levels of additional processing that just should not be there.
John C. Reid  / Technology Director
John@prime42.net  / (530) 691-0042
1300 West Street, Suite 206, Redding, CA 96001

Reply to Thread