9
Instead of IDS block, temporarily disable email account
Idea shared by SmP - 11/10/2021 at 8:23 AM
Proposed
We often see offices with larger numbers of users wherein one user has a device or email client with an incorrect password triggering an IDS block for the IP and causing the entire group to be affected.

We'd love to see a feature in which the offending email account gets temporarily disabled for POP/SMTP/IMAP sessions (but still accepts incoming email) instead of a block on the IP address.

This seems more surgical and less heavy-handed than the old-school IP hammer approach as it would also require fewer priority tickets to unblock IP addresses.

8 Replies

Reply to Thread
0
+1
0
A very self-serving +1 to myself as well.
0
Kyle Kerst Replied
Employee Post
Hello SmP and Gabriele. While we're awaiting feedback from other users, I wanted to offer some guidance that may help. 

With this specific scenario in mind, I'd recommend setting all of the password brute-force IDS rules to 5 password failures. Outlook and most other modern email clients will attempt authentication 3 times before giving up and prompting the user for the updated password, so this should help block spammers/hackers without affecting the users that have recently updated their passwords and forgotten to update the client. 

I hope that helps! :)
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
2
Thank you for the idea. It's not so much about blocking nefarious traffic but rather legitimate users who would then unknowingly take that bad password and try right away again using any email client. We'd much rather temporarily block all but inbound email to the account instead the entire IP.
0
Kyle Kerst Replied
Employee Post
You're very welcome, and thanks for your clarification on this. That makes sense to me! I see 3 upvotes on this now, so we'll let it run a little longer and see what kind of votes/feedback we get from the community. Have a good one!
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Hello,
Idea 1: only lock email that has password fail is a very good idea, thanks for SmP.
My customer often shouting me because whole company blocked, one of them has password fail.

Idea 2: dont block if 100 password fail with the same string. Example, smarter mail receive 100 password fail "myprvpassword" from IP xxx.xxx.xxx.xxx for email admin@domain.com
This mean this is not a brutforce.
2
+1 here too.  I have seen this happen with 1 of our clients in particular, several times.  They change their password, forgot to update the phone that is connected to WiFi... the phone blasts away trying the old password, then the IP Address is blocked along with 35 users to access their email.

www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. in 2018, in just one year, we gave away 1,000 Free Computers !

0
We've also run into this issue of one user taking down access for an entire location. We have the webmail brute force by IP disabled for this reason. So, I agree that it would be great if the other mail protocols had this IP/account distinction too.

Reply to Thread