IP getting blacklisted for DenialOfService for obscure reasons

Problem reported by Sébastien Riccio - 2/6/2025 at 7:43 AM

Submitted

Hello,

A customer is getting their office IP blacklisted for DoS by SmarterMail.

This happens at least once a week, sometimes more.

Looking at the administrative log I find this:

[2025.02.06] 11:09:11.795 DenialOfService [DenialOfService w.x.y.z] Added IP to IDS block list. Duration: 1799,9369469 seconds, Description: Default DoS rule

So far nothing wrong, but in the administrative log, there is no trace of failed logins from their IP.

However, when looking at IMAP log to see what happened before the blacklisting occured I see a thousand of these:

[2025.02.06] 11:08:14.950 [w.x.y.z][51015382][993] Exception: (PooledTcpItem.cs) Authentication failed, see inner exception.
[2025.02.06] 11:08:14.950 [w.x.y.z][51015382][993] StackTrace:    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
[2025.02.06] 11:08:14.994 [w.x.y.z][14227119][993] Exception: (PooledTcpItem.cs) Authentication failed, see inner exception.
[2025.02.06] 11:08:14.994 [w.x.y.z][14227119][993] StackTrace:    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
[2025.02.06] 11:08:15.066 [w.x.y.z][17945607][993] Exception: (PooledTcpItem.cs) Authentication failed, see inner exception.
[2025.02.06] 11:08:15.066 [w.x.y.z][33600209][993] Exception: (PooledTcpItem.cs) Authentication failed, see inner exception.
[2025.02.06] 11:08:15.066 [w.x.y.z][56148762][993] Exception: (PooledTcpItem.cs) Authentication failed, see inner exception.
[2025.02.06] 11:08:15.066 [w.x.y.z][17945607][993] StackTrace:    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
[2025.02.06] 11:08:15.066 [w.x.y.z][33600209][993] StackTrace:    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
[2025.02.06] 11:08:15.066 [w.x.y.z][56148762][993] StackTrace:    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
[2025.02.06] 11:08:15.066 [w.x.y.z][17917245][993] Exception: (PooledTcpItem.cs) Authentication failed, see inner exception.
[2025.02.06] 11:08:15.067 [w.x.y.z][9135193][993] Exception: (PooledTcpItem.cs) Authentication failed, see inner exception.
[2025.02.06] 11:08:15.067 [w.x.y.z][13736720][993] Exception: (PooledTcpItem.cs) Authentication failed, see inner exception.
[2025.02.06] 11:08:15.067 [w.x.y.z][17917245][993] StackTrace:    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
[2025.02.06] 11:08:15.067 [w.x.y.z][40743218][993] Exception: (PooledTcpItem.cs) Authentication failed, see inner exception.
[2025.02.06] 11:08:15.067 [w.x.y.z][41238720][993] Exception: (PooledTcpItem.cs) Authentication failed, see inner exception.
[2025.02.06] 11:08:15.067 [w.x.y.z][24242040][993] Exception: (PooledTcpItem.cs) Authentication failed, see inner exception.
[2025.02.06] 11:08:15.067 [w.x.y.z][26096497][993] Exception: (PooledTcpItem.cs) Authentication failed, see inner exception.
[2025.02.06] 11:08:15.067 [w.x.y.z][9135193][993] StackTrace:    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
[2025.02.06] 11:08:15.067 [w.x.y.z][13736720][993] StackTrace:    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
[2025.02.06] 11:08:15.067 [w.x.y.z][24242040][993] StackTrace:    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
[2025.02.06] 11:08:15.067 [w.x.y.z][40743218][993] StackTrace:    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
[2025.02.06] 11:08:15.067 [w.x.y.z][41238720][993] StackTrace:    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)

I think these exceptions, which I can't really understand what they are about, seems to count as failed login attempts for the DoS rule counters.

My questions about this:

1) What can be causing these exceptions ? It talks about Authentication but there is no authentication failure reported in Administrative log.

2) Our customer claims this happens weekly, that there are no changes on their sides, it fixes itself after a moment. It just happens sometimes and when it happens everyone in the office can't use their mail anymore.

3) If these are errors, but not a wrong password, should these exception really count to increase DoS counters ?

In the meantime I've added the customer office IP in whitelist, but it's not a real solution.

Kind regards.

PS: Tried to open a ticket but the ticket thing on SmarterMail website seems broken, and trying to open a ticket by e-mail is rejected.

PS EDIT: Seems ticket thingy is back now

Sébastien Riccio

System & Network Admin

https://swisscenter.com

3 Replies

Reply to Thread

Andrew Barker Replied

2/6/2025 at 9:28 AM

Employee Post

Denial of Service (DoS) type IDS rules are unrelated to authentication failures. Instead, they are based on the total number of connections opened by an IP in a certain amount of time. If this server is hosting a domain that is commonly accessed by many people working from an office, that could be the reason the DoS rule is getting triggered. The authentication errors you noted could be indirectly related, as they might be causing a client to disconnect and then try connecting again, thus ticking the counter for the DoS rule.

Aside from whitelisting the office IP, as you have done, your only other options are to increase the threshold for your DoS type IDS rule, or disable that rule.

Andrew Barker Software Developer SmarterTools Inc. www.smartertools.com

Kyle Kerst Replied

2/6/2025 at 12:28 PM

Employee Post

I wanted to chime in on this as well as I've seen similar issues with remote desktop occasionally over the years, usually when operating behind a software firewall. Does the server have anything on it doing packet inspection, or does the client's network have something doing the same? It might be worth while to bypass the deeper packet inspection functionality temporarily to see if the behavior clears up.

One other thing you might check is the Windows Event Viewer in and around the time when these issues happen to see if there are any disconnects or other errors being logged "under the hood" when these blocks get engaged.

Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com

Curtis Kropar www.HawaiianHope.org Replied

2/6/2025 at 1:32 PM

Have the clients recently added any email boxes or changed up the email accounts, or has someone recently changed their password ?

Several years ago we had a similar situation where one of the staff of a non profit was checking email on their phone, and their phone was connected to the agencies WiFi. They had changed their password on their email account, but on the phone they did not update the settings properly. On the email app, there was a separate field for password vs. authenticate before sending. The app kept blasting away at SmarterMail and it ended up blacklisting the IP and no one in the agency could log in from that point forward. It happened every day for about a week every time that employee showed up for work.

Similarly, I have seen a few apps that open up multiple IP paths to the server to try to attempt to download mail faster. Is everyone there using the same email apps on their phones ?

Related but not (as an example) I have seen FTP servers do the same thing. You try to download a directory of files from an FTP server and the FTP tries to open like 20 paths at the same time to make the download go faster. the server rejects that many simultaneous connections and block the IP

www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !

Back to Community Threads

Please leave this box unchecked

3 Replies

Reply to Thread

Tags

Related Knowledge Base Articles