6
Internal Spammer
Question asked by Heimir Eidskrem - 3/16/2022 at 2:44 PM
Answered
Our IDS showed some entries that read Internal Spammer.
I searched the logs for the IP addresses but didnt find a single entry.

Looking at online help it reads this: Internal Spammer Violations - The total number of spam violations from users on the SmarterMail server. 

Since I can't find the IP in any log, what is an internal spammer in this case?

9 Replies

Reply to Thread
1
Tony Scholz Replied
Employee Post
Hello Heimir, 

The IDS rule "Internal Spammer" is triggered off of the number of emails being sent out of SmarterMail per user. Since the trigger from webmail there is no associated IP. 

"Enabling this rule in SmarterMail will block or quarantine an account from sending mail, as well as alert an administrator, whenever multiple emails from a single sender are delivered externally from the server during a specified time frame."

If a user ( in webmail ) sends out more then XXX emails in XXX minutes then the account is blocked from sending more messages for XXX minutes. 

I hope this helps clear things up. 

Thank you
Tony
Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com
1
Heimir Eidskrem Replied
That is very helpful.
Thank you for the great response..
1
Heimir Eidskrem Replied
So at this moment I have several that shows up under IDS but I dont have a rule that reads Internal spammer.
I see its an option but I dont have created one.  

When I look under user activity I dont see the IP addresses listed by internal spammer.
So how do I find out whats going on since none of the IP addresses listed as internal spammers does not show up in the log files?
I feel like Im missing the obvious.


1
David Jamell Replied
I'm seeing the same thing with SM Version 8125.  No Internal Spammer Rule and cannot find the IP Addresses in any log.  SMTP and Delivery Logs are set to "detailed".

I do have a "Default SMTP Password Brute Force strict rule" setup and every Internal Spammer violation has a corresponding SMTP Brute Force Violation at the same time.
1
Douglas Foster Replied
I have the same symptoms - one Internal Spammer "Delivery" block for almost every SMTP block.  I have opened a ticket for clarification, but apparently the change in behavior is related to this release notes entry:

Build 8083 (Feb 17, 2022)
Fixed: Internal Spammer IDS actions (Quarantine and Block) do not appear on the IDS Blocks page or in Administrative logs. 

So maybe the behavior has always been there, but invisibly, and now it is visible.
0
Mike Mulhern Replied
+1

I'm getting internal spammer after updating to 8125 from 8055.  I skipped both 8083 and 8097.
2
Douglas Foster Replied
I have determined that the SMTP IDS blocks appear in the SMTPlog file, and the Delivery IDS blocks appear in the Administrative log file.    I can tell that both types are triggered by the same IDS rule because of the duration of the resulting block rules.  Support confirms that it is a bug.  For my situation, it is a surprise but no harm done.
1
Zach Sylvester Replied
Employee Post Marked As Answer
Hello, 

Thanks for the follow-ups, everyone. This is a known issue and something that we are currently working on. 

I will update this thread when it's fixed. 

Please also keep an eye on the release notes. 

Kind Regards, 

Zach Sylvester Software Developer SmarterTools Inc. www.smartertools.com
2
David Sovereen Replied
Any update on this?  In case it is helpful in tracking down, I've noticed that if I make a change to the "SMTP Password Brute Force by Protocol" setting, it almost always results in all items listed as SMTP Password Brute Force by Protocol being added to the Delivery Internal Spammer IDS area.  But lots of things can show up in the Internal Spammer area without making such a change, too.

Dave

Reply to Thread