Suggestion: IDS report
Idea shared by Webio - 8/9/2023 at 10:36 PM

in IDS section we have column called Blocks in 30 Days. I've noticed few moments ago that I have currently 2 IPs blocked which is of course fine because they where catched by IDS rule but I see also in mentioned column that in 30 days those IPs where blocked 1009 times and my question is:

Is there any place (report/but API would be great) where I can generate some kind of IDS report for IDS blocks where I could easily get list of IPs which where blocked in some given time period so I can block them on firewall instead of using SmarterMail resources to "catch" them using IDS rules?


1 Reply

Reply to Thread
We would be happy with an IDS log in a format something like this:

Offending IP
Total Attempts
First Seen
Last Seen
Rule Broken
Data string that broke the rule
Action Taken

This would concentrate everything the IDS does into one log file.  Admins like me, who see abusive IP ranges, can block them at our firewall without having to dig into multiple places to find out the account being attacked, and so forth.

We've have VERY strict IDS rules -- Password Brute Force by IP gets you a year long ban.  We track the IPs and verify they are not our legitimate users having made a settings change that requires assistance - but the majority (some 200 int he list so far) are all banned because they're the types of attacks where some random IP attempts an attack - then a day later, tries again, and so forth. Currently, we have about 100 IPs a day that do this -- it's a bot net -- and we catch most them with our EHLO blocking - but we have to have Password Brute Force that waits for 2 days counting and 3 attempts gets you banned.

SMTP Harvesting Rule is also set for a very long ban. We get servers who attempt to spam using lists of users -- checking for "valid mailboxes" or whatever -- and those bans are also highly sensitive and long term. We reject mail from over 50 "vanity domain extensions" on principle.  .top .zyx .whatever (the list goes on) -- these are all nothing more than spam operations - and we block every last one of them.  If you're a legit company you've got a major established TLD or are using a service to legitimately send your mail like O365 or any of the relay services.

An addtional request would be to add an item in the "right click" of the IDS offender list to give us a "Copy IP" feature -- I routinely check IPs against ipinfo.io to gather information on whether I need to issue Class "n" range block or it it's a one-of -- or even if it's one of our normal client IPs showing questionable behavior.

MailEnable survivor / convert --

Reply to Thread