3
IDS enhancements
Idea shared by J. LaDow - 7/23/2023 at 10:03 AM
Proposed
I have a couple suggestions (or requests, to be honest):

In the IDS system - give us an option to "not be nice" when IPs get blocked and attempt to reconnect and process more commands.  Same goes for things EHLO blocks.  Rather than continually communicate with an attacker or spammer, once they cross the threshold or in the case of an EHLO string block, simply respond with "[POLICY VIOLATION]" and drop the connection.  They're not playing nice - why should we waste the bandwidth and resources to keep communicating with said IP.  This especially applies with an EHLO string block - if your EHLO is in violation I have no need to be nice to you.

Here's an example of an attacker trying for email addresses for a domain that are not even registered on this server.  The attacker fails the EHLO domain check, but is connected long enough to keep consuming bandwidth cycles.  This particular attacker kept this up every five to fifteen minutes for 5 hours before I firewalled their class c.

00:17:08.320 [185.246.222.167][30255871] rsp: 220 redacteddomain.ext SMTP SVC ready
00:17:08.320 [185.246.222.167][30255871] connected at 7/23/2023 12:17:08 AM
00:17:08.320 [185.246.222.167][30255871] Country code: BG
00:17:08.414 [185.246.222.167][30255871] cmd: EHLO User
00:17:08.414 [185.246.222.167][30255871] rsp: 250-theorchid.redacteddomain.ext Hello [185.246.222.167]250-SIZE 69905066250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
00:17:08.414 [185.246.222.167][30255871] The domain given in the EHLO command violates an EHLO SMTP blocking rule. Any authentication attempts or RCPT commands will be rejected.
00:17:08.523 [185.246.222.167][30255871] cmd: RSET
00:17:08.523 [185.246.222.167][30255871] rsp: 250 OK
00:17:08.637 [185.246.222.167][30255871] cmd: AUTH LOGIN
00:17:08.637 [185.246.222.167][30255871] rsp: 334 VXNlcm5hbWU6
00:17:08.743 [185.246.222.167][30255871] Authenticating as connecting@redacteddomain.ext
00:17:08.743 [185.246.222.167][30255871] rsp: 334 UGFzc3dvcmQ6
00:17:08.847 [185.246.222.167][30255871] rsp: 535 Authentication failed
00:17:08.943 [185.246.222.167][30255871] cmd: RSET
00:17:08.943 [185.246.222.167][30255871] rsp: 250 OK
00:17:09.052 [185.246.222.167][30255871] cmd: AUTH LOGIN
00:17:09.052 [185.246.222.167][30255871] rsp: 334 VXNlcm5hbWU6
00:17:09.162 [185.246.222.167][30255871] Authenticating as connecting@redacteddomain.ext
00:17:09.162 [185.246.222.167][30255871] rsp: 334 UGFzc3dvcmQ6
00:17:09.256 [185.246.222.167][30255871] rsp: 535 Authentication failed
00:17:09.365 [185.246.222.167][30255871] cmd: RSET
00:17:09.365 [185.246.222.167][30255871] rsp: 250 OK
00:17:09.474 [185.246.222.167][30255871] cmd: AUTH LOGIN
00:17:09.474 [185.246.222.167][30255871] rsp: 334 VXNlcm5hbWU6
00:17:09.600 [185.246.222.167][30255871] Authenticating as connecting@redacteddomain.ext
00:17:09.600 [185.246.222.167][30255871] rsp: 334 UGFzc3dvcmQ6
00:17:09.710 [185.246.222.167][30255871] rsp: 535 Authentication failed
00:17:09.819 [185.246.222.167][30255871] cmd: RSET
00:17:09.819 [185.246.222.167][30255871] rsp: 250 OK
00:17:09.929 [185.246.222.167][30255871] cmd: AUTH LOGIN
00:17:09.929 [185.246.222.167][30255871] rsp: 334 VXNlcm5hbWU6
00:17:10.022 [185.246.222.167][30255871] Authenticating as connecting@redacteddomain.ext
00:17:10.022 [185.246.222.167][30255871] rsp: 334 UGFzc3dvcmQ6
00:17:10.132 [185.246.222.167][30255871] rsp: 535 Authentication failed
00:17:10.241 [185.246.222.167][30255871] cmd: RSET
00:17:10.241 [185.246.222.167][30255871] rsp: 250 OK
00:17:10.336 [185.246.222.167][30255871] cmd: AUTH LOGIN
00:17:10.336 [185.246.222.167][30255871] rsp: 334 VXNlcm5hbWU6
00:17:10.445 [185.246.222.167][30255871] Authenticating as connecting@redacteddomain.ext
00:17:10.445 [185.246.222.167][30255871] rsp: 334 UGFzc3dvcmQ6
00:17:10.554 [185.246.222.167][30255871] rsp: 535 Authentication failed
00:17:10.664 [185.246.222.167][30255871] cmd: RSET
00:17:10.664 [185.246.222.167][30255871] rsp: 250 OK
00:17:10.757 [185.246.222.167][30255871] cmd: AUTH LOGIN
00:17:10.757 [185.246.222.167][30255871] rsp: 334 VXNlcm5hbWU6
00:17:10.867 [185.246.222.167][30255871] Authenticating as connecting@redacteddomain.ext
00:17:10.867 [185.246.222.167][30255871] rsp: 334 UGFzc3dvcmQ6
00:17:10.976 [185.246.222.167][30255871] rsp: 535 Authentication failed
00:17:11.086 [185.246.222.167][30255871] cmd: RSET
00:17:11.086 [185.246.222.167][30255871] rsp: 250 OK
00:17:11.179 [185.246.222.167][30255871] cmd: AUTH LOGIN
00:17:11.179 [185.246.222.167][30255871] rsp: 334 VXNlcm5hbWU6
00:17:11.305 [185.246.222.167][30255871] Authenticating as connecting@redacteddomain.ext
00:17:11.305 [185.246.222.167][30255871] rsp: 334 UGFzc3dvcmQ6
00:17:11.414 [185.246.222.167][30255871] rsp: 535 Authentication failed
00:17:11.524 [185.246.222.167][30255871] cmd: RSET
00:17:11.524 [185.246.222.167][30255871] rsp: 250 OK
00:17:11.618 [185.246.222.167][30255871] cmd: AUTH LOGIN
00:17:11.618 [185.246.222.167][30255871] rsp: 334 VXNlcm5hbWU6
00:17:11.727 [185.246.222.167][30255871] Authenticating as connecting@redacteddomain.ext
00:17:11.727 [185.246.222.167][30255871] rsp: 334 UGFzc3dvcmQ6
00:17:11.837 [185.246.222.167][30255871] Closing transmission channel: too many bad commands
00:17:11.837 [185.246.222.167][30255871] rsp: 421 Too many bad commands, closing transmission channel
00:17:11.962 [185.246.222.167][30255871] cmd: RSET
00:17:11.962 [185.246.222.167][30255871] rsp: 250 OK
00:17:11.962 [185.246.222.167][30255871] disconnected at 7/23/2023 12:17:11 AM
00:17:26.436 [185.246.222.167][901934] rsp: 220 redacteddomain.ext SMTP SVC ready
00:17:26.436 [185.246.222.167][901934] connected at 7/23/2023 12:17:26 AM
00:17:26.436 [185.246.222.167][901934] Country code: BG
00:17:26.529 [185.246.222.167][901934] cmd: EHLO User
00:17:26.529 [185.246.222.167][901934] rsp: 250-theorchid.redacteddomain.ext Hello [185.246.222.167]250-SIZE 69905066250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
00:17:26.529 [185.246.222.167][901934] The domain given in the EHLO command violates an EHLO SMTP blocking rule. Any authentication attempts or RCPT commands will be rejected.
00:17:26.639 [185.246.222.167][901934] cmd: RSET
00:17:26.639 [185.246.222.167][901934] rsp: 250 OK
00:17:26.748 [185.246.222.167][901934] cmd: AUTH LOGIN
00:17:26.748 [185.246.222.167][901934] rsp: 334 VXNlcm5hbWU6
00:17:26.969 [185.246.222.167][901934] Authenticating as connecting@redacteddomain.ext
00:17:26.969 [185.246.222.167][901934] rsp: 334 UGFzc3dvcmQ6
00:17:27.078 [185.246.222.167][901934] rsp: 535 Authentication failed
00:17:27.172 [185.246.222.167][901934] cmd: RSET
00:17:27.172 [185.246.222.167][901934] rsp: 250 OK
00:17:27.298 [185.246.222.167][901934] cmd: AUTH LOGIN
00:17:27.298 [185.246.222.167][901934] rsp: 334 VXNlcm5hbWU6
00:17:27.407 [185.246.222.167][901934] Authenticating as connecting@redacteddomain.ext
00:17:27.407 [185.246.222.167][901934] rsp: 334 UGFzc3dvcmQ6
00:17:27.501 [185.246.222.167][901934] rsp: 535 Authentication failed
00:17:27.610 [185.246.222.167][901934] cmd: RSET
00:17:27.610 [185.246.222.167][901934] rsp: 250 OK
00:17:27.721 [185.246.222.167][901934] cmd: AUTH LOGIN
00:17:27.721 [185.246.222.167][901934] rsp: 334 VXNlcm5hbWU6
00:17:27.830 [185.246.222.167][901934] Authenticating as connecting@redacteddomain.ext
00:17:27.830 [185.246.222.167][901934] rsp: 334 UGFzc3dvcmQ6
00:17:27.939 [185.246.222.167][901934] rsp: 535 Authentication failed
00:17:28.033 [185.246.222.167][901934] cmd: RSET
00:17:28.033 [185.246.222.167][901934] rsp: 250 OK
00:17:28.143 [185.246.222.167][901934] cmd: AUTH LOGIN
00:17:28.143 [185.246.222.167][901934] rsp: 334 VXNlcm5hbWU6
00:17:28.252 [185.246.222.167][901934] Authenticating as connecting@redacteddomain.ext
00:17:28.252 [185.246.222.167][901934] rsp: 334 UGFzc3dvcmQ6
00:17:28.362 [185.246.222.167][901934] rsp: 535 Authentication failed
00:17:28.471 [185.246.222.167][901934] cmd: RSET
00:17:28.471 [185.246.222.167][901934] rsp: 250 OK
00:17:28.565 [185.246.222.167][901934] cmd: AUTH LOGIN
00:17:28.565 [185.246.222.167][901934] rsp: 334 VXNlcm5hbWU6
00:17:28.706 [185.246.222.167][901934] Authenticating as connecting@redacteddomain.ext
00:17:28.706 [185.246.222.167][901934] rsp: 334 UGFzc3dvcmQ6
00:17:28.799 [185.246.222.167][901934] rsp: 535 Authentication failed
00:17:28.909 [185.246.222.167][901934] cmd: RSET
00:17:28.909 [185.246.222.167][901934] rsp: 250 OK
00:17:29.018 [185.246.222.167][901934] cmd: AUTH LOGIN
00:17:29.018 [185.246.222.167][901934] rsp: 334 VXNlcm5hbWU6
00:17:29.112 [185.246.222.167][901934] Authenticating as connecting@redacteddomain.ext
00:17:29.112 [185.246.222.167][901934] rsp: 334 UGFzc3dvcmQ6
00:17:29.237 [185.246.222.167][901934] rsp: 535 Authentication failed
00:17:29.347 [185.246.222.167][901934] cmd: RSET
00:17:29.347 [185.246.222.167][901934] rsp: 250 OK
00:17:29.441 [185.246.222.167][901934] cmd: AUTH LOGIN
00:17:29.441 [185.246.222.167][901934] rsp: 334 VXNlcm5hbWU6
00:17:29.550 [185.246.222.167][901934] Authenticating as connecting@redacteddomain.ext
00:17:29.550 [185.246.222.167][901934] rsp: 334 UGFzc3dvcmQ6
00:17:29.659 [185.246.222.167][901934] rsp: 535 Authentication failed
00:17:29.769 [185.246.222.167][901934] cmd: RSET
00:17:29.769 [185.246.222.167][901934] rsp: 250 OK
00:17:29.863 [185.246.222.167][901934] cmd: AUTH LOGIN
00:17:29.863 [185.246.222.167][901934] rsp: 334 VXNlcm5hbWU6
00:17:29.972 [185.246.222.167][901934] Authenticating as connecting@redacteddomain.ext
00:17:29.972 [185.246.222.167][901934] rsp: 334 UGFzc3dvcmQ6
00:17:30.082 [185.246.222.167][901934] Closing transmission channel: too many bad commands
00:17:30.082 [185.246.222.167][901934] rsp: 421 Too many bad commands, closing transmission channel
00:17:30.176 [185.246.222.167][901934] cmd: RSET
00:17:30.176 [185.246.222.167][901934] rsp: 250 OK
00:17:30.176 [185.246.222.167][901934] disconnected at 7/23/2023 12:17:30 AM

There is no need for the continued communications.

Also, if we can block on EHLO strings, could we have the option to create an IDS rule that after so many failed EHLO checks the IP is banned, etc.?


MailEnable survivor / convert --

6 Replies

Reply to Thread
1
Mailenable was good at this. :) I am a convert/survivor to.

Logging and tracking lacks compared to ME.
1
I'm pretty impressed with the logging compared to ME -- SmarterMail can create a lot more logs in the end. In our case, it was just a learning curve to figure out how SmarterMail breaks down it's different services - but we've been able to integrate with our IDS pretty quickly.  The administration log consolidates most of what we need compared to monitoring 4 other logs in MailEnable just to pull IPs for our firewall - which was nice.  

Our only two complaints is any time we create a domain, we have to consume a mailbox for a "domain administrator".  As we are a reseller, this just consumes an account nobody will ever use, since we do not give any users "administrator rights" -- it would be nice to be able to create any number of domains underneath one "administrator" and not consume those extra accounts.  We can tell by how SM works that this just isn't feasible so it's not something we brought up.  But at 75 domains so far (and we have more to migrate) this has consumed 70 of our mailboxes in our license.

But the "one" thing we liked about ME was when an IP or attacker (as we call them) crossed the threshold, ME wouldn't mess around - it would drop the connection.  Boom.  Done.

There are SOOOOO many things SM does better than MailEnable that there honestly is no comparison for us -- just having the ability for our users to act on a "large number of emails" in webmail without the server falling on it's face was enough for us to make the switch.  MailEnable can't even come close to what SM has done as far as internal IDS or even "out of the box" spam filtering - there's just no comparison.

One of the learning curves really boils down to both softwares having two different interfaces for management.  We've been able to do anything ME could do with our new SmarterMail install -- just that some things we had to hunt for to figure out the different path taken to achieve the same result.
MailEnable survivor / convert --
0
I kinda thought this would have gotten more traction than it has -- interesting.

MailEnable survivor / convert --
2
Kyle Kerst Replied
Employee Post
Hello and sorry for the delay on this! We try to peruse the community looking for new posts regularly but have been less able to do so recently with all of the big improvements we're working on. I did some testing with the EHLO block behavior you outlined and saw the same behavior, where my server continued to accept commands until I reached the RCPT TO at which point that was rejected as an invalid user (it's not.) I was curious why we don't drop connectivity at that point and a colleague noted with me that this is expected behavior - as we continue accepting traffic so that the violator is unaware:

Note: SMTP blocking does NOT occur immediately when the EHLO command is given. Instead, a "soft" block is used and SmarterMail will fail any authentication attempts or RCPT TO commands. This is because if the failure occurs right after the EHLO commaned, any person attempting to spam from a mail server could figure out what the problem is and change the domain given with the command on each send. A "soft" failure should, instead, make the spammer believe he is using an incorrect password.

I like your suggestion on the IDS rule triggering on EHLO violations so I'm going to get that escalated as a feature request so our Product Management team can review. Thanks for the feedback!
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
0
But that would block the email account and not the offender?? Correct?
1
No.  An EHLO violation trigger only tracks the string the offending client sends (or doesn't send) when it initially connects to the server -- so if an offender identifies with an EHLO string you've blocked, their activities are "refused" (regardless of what commands they send).  Per the reply above - SM's behavior of continuing communications is by design even if SM will refuse any command sent after the initial violation.

The bonus of the IDS trigger based on repeated EHLO violations would work like their other IDS rules in that EHLO violators would now be tracked and counted.  Currently, they aren't - an EHLO violator can try again and again and never trigger IDS because we don't have a way to set EHLO as the trigger.  This change would be an IP based block since that's the only way the server could track the offenders.  EHLO comes long before an email address (either sender or receiver) is even transmitted to the server.
MailEnable survivor / convert --

Reply to Thread