Back to Community Threads
1
Local customer caught in IDS Block three times
Question asked by Montague WebWorks - 11/10/2022 at 8:50 AM
Unanswered
I have a local customer with 15 users and yesterday they started getting caught in my IDS Blocks. I freed them up, and a couple hours later they got caught again. I freed them up again and this morning they got caught again. I'm not going to free them up again until I figure out what's going on. This is a first-time occurrence for them, and I've been hosting them for over a decade.

"The IDS rule, Default POP DoS, has been triggered by 50.79.171.81. Detection Type: DenialOfService"

I've looked through the logs and there's nothing in the POP log. It's essentially empty. I was hoping to find IP numbers of POP clients, logins, etc., so I could see which specific machine in their office had gone rogue.

I've looked through all the reports, and while there are some excellent charts showing that there has been an uptick in IDS blocks in the past two days, as well as POP sessions, there is no further, deeper info to help figure out the specific issue. Unless I'm just not seeing it.

We really could use some improved log analytics so stuff like this isn't unattainable.

Thanks for any help.
Mik MullerMontague WebWorks

4 Replies

Reply to Thread
0
Tony Scholz Replied
11/10/2022 at 9:33 AM
Employee Post
Hello Mik, 

The first thing we will wan to do is to make sure that the PO logs are set to detailed. If they are exception only it would not show this information. 

Manage -> Troubleshooting -> Options [tab]

Here you can find the POP log and set to detailed ( save ) Now you should be getting some details on login attempts. Emails pulled down, the entire POP session. 

There is one other place you can look for now that will have less details. You can search the Administrative logs  for the IP address, This will show all login and connection attempts from that IP ( make sure this log is also set to detailed, if not adjust and wait for the issue to recur ) 

EDIT: We are currently reviewing and reworking the logging around this as well. 

Hope this helps to start your review. 

Thank you 
Tony
Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com
0
Montague WebWorks Replied
11/10/2022 at 11:13 AM
Ah! Thanks. I was trying to figure out where the logging was set. I'll open the gates again and see what transpires. 

BTW, looking at the Administrative logs, what does 'calling patch message' mean?
Mik MullerMontague WebWorks
0
Montague WebWorks Replied
11/10/2022 at 11:35 AM
Found one user's machine was attempting SMTP every seven minutes, even overnight.
Mik MullerMontague WebWorks
0
Tony Scholz Replied
11/10/2022 at 11:58 AM
Employee Post
"Calling Patch Message" means that something about that message was changed and we are saving the change that was made. ( reply, moved, etc.. ) 
Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Cannot Send Email MessagesSmarterMail > Troubleshooting
Manually Securing SmarterMail Using Let's Encrypt and Certify the WebSmarterMail > Installation and Configuration
Automatic SSL Certificates on a New SmarterMail ServerSmarterMail > Server Configuration and Management