Well,
I checked our administrative logs for EmailBruteForceDetector and found this:
[2024.03.20] 00:50:16.395 [EmailBruteForceDetector] Added test to IDS block list. Duration: 1799,997426 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 00:51:58.402 [EmailBruteForceDetector] Added info to IDS block list. Duration: 1799,9975387 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 00:52:14.313 [EmailBruteForceDetector] Added mail to IDS block list. Duration: 1799,9971007 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 01:24:08.409 [EmailBruteForceDetector] Added test to IDS block list. Duration: 1799,9972983 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 01:26:07.730 [EmailBruteForceDetector] Added mail to IDS block list. Duration: 1799,997513 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 01:26:40.670 [EmailBruteForceDetector] Added info to IDS block list. Duration: 1799,997522 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 01:57:53.965 [EmailBruteForceDetector] Added test to IDS block list. Duration: 1799,9975733 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 02:00:12.711 [EmailBruteForceDetector] Added info to IDS block list. Duration: 1799,9974181 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 02:00:18.185 [EmailBruteForceDetector] Added mail to IDS block list. Duration: 1799,9973368 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 06:13:48.149 [EmailBruteForceDetector] Added info to IDS block list. Duration: 1799,9974281 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 06:15:32.435 [EmailBruteForceDetector] Added test to IDS block list. Duration: 1799,9975847 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 06:21:01.126 [EmailBruteForceDetector] Added mail to IDS block list. Duration: 1799,9974775 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 06:47:23.586 [EmailBruteForceDetector] Added info to IDS block list. Duration: 1799,9975575 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 06:48:40.639 [EmailBruteForceDetector] Added test to IDS block list. Duration: 1799,9973126 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 06:55:10.098 [EmailBruteForceDetector] Added mail to IDS block list. Duration: 1799,9975129 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 07:19:27.125 [EmailBruteForceDetector] Added info to IDS block list. Duration: 1799,9974293 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 07:23:03.238 [EmailBruteForceDetector] Added test to IDS block list. Duration: 1799,9973051 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 07:30:33.004 [EmailBruteForceDetector] Added mail to IDS block list. Duration: 1799,997317 seconds, Description: Default Brute Force by Email rule
[2024.03.20] 10:31:25.209 [EmailBruteForceDetector] Added info to IDS block list. Duration: 1799,9975803 seconds, Description: Default Brute Force by Email rule
I would not be surprised this could be somehow related...
00:50:16.256 [170.83.173.29] SMTP Attempting to login user: test@somedomain.ch
00:50:16.256 [170.83.173.29] SMTP Login failed: Domain [somedomain.ch] not found
00:50:16.256 [170.83.173.29] SMTP Login failed: That domain was not found. Double check your email address.
Brute force attempts increased to 3 of 25 in 10 minutes.
User brute force attempts increased to 1 of 50 in 10 minutes.
Next clean available at 20.03.2024 00:51:07
00:50:16.392 [test] Added to IDS block list for violating rule Type: Password Brute Force by Email, Description: Default Brute Force by Email rule
Interestingly, it looks in some cases they are trying to login to users for domains that does NOT exist on our server.
But then SmarterMail still adds an IDS block for that username..
so what domain is it using for the IDS ban ? All domains ? and maybe therefore blocking all mailboxes with this user name ?