3
Did anyone else see a jump in SMTP Password Brute Force attemps?
Question asked by Mark Thornton - 4/21/2023 at 10:39 AM
Unanswered
For the last few weeks I have been watching the IDS Blocks and adjusting the settings to ease the load on the server and clean up the logs. My SMTP Password Brute Force settings are 2 failures over 10 minutes results in a 1440 minute ban. Typically I have seen 6 to 10 IP's blacklisted but today it shot up to 107 blocked IPs. China dominates the list. Did they just find my server?

3 Replies

Reply to Thread
1
Douglas Foster Replied
Yes

More than 20,000 Chinese servers are scouring the internet looking for vulnerable accounts.     You should assume that this is a permanent. part of their cyber warfare infrastructure. 
0
Employee Replied
Employee Post
Hi guys, 

In our latest release, we added a feature that might help fight against these attacks. Each domain now has an option in Domain Settings > General for 'Block Authentication by Country'. 

This feature will allow you to block authentication attempts from specific countries, or ONLY ALLOW authentication from specific countries. Adding a country to the setting will just block authentication attempts, it won’t impact sending or receiving messages from the country. It will simply prevent anyone from the excluded countries from logging into the server, regardless of protocol. 

I hope this helps! 
0
Douglas Foster Replied
This feature will be helpful.   Please be careful to update logging so that the country is indicated on both allowed and blocked connections.   Since, mapping of countries to IP addresses is an imperfect science, it will also be useful to have (a) an IP-TO-country lookup, and (b) an IP-to-country override mechanism.

As a related matter, I would like to have a way to extract IDS blocks and IP Blacklists, with country data included.   Screen scraping is pretty painful.   The ids-blocks.json file is parseable but does not have country names.   The IP blacklist screens do not show country codes, and the file seems to be unparseable binary data (or I am not looking at the right file.)

Reply to Thread