Back to Community Threads
IP Brute Force Detector "Throttled IP" issue
Problem reported by J. LaDow - Today at 7:55 AM
Submitted
J
On the current build - 9526 (observed on 9511 and 9518 as well) there seems to be a change in the IP brute force detection and throttling when it comes to NTLM hashes.

On older builds, this didn't seem to be an issue - when we saw this "throttled" notation in the logs, there weren't any "brute force entries" that went with them. Now, it seems that an "initial" brute force attempt is logged before throttling - like a step in the filters changed order.

I can probably produce logs from previous builds but here is what we're seeing now. Additionally (as has always been the case with this user) they seem to log in using the "alias domain" but the server does catch and authenticate against the main domain. I think this is irrelevant to the issue but noted regardless.

00:47:55.906 [redacted IP] IMAP NTLM; AuthenticateMessage; User password too long for LMv1 authentication [redacted data]
00:47:55.906 [redacted IP] IMAP NtlmAuthenticate Login failed: NTLM; AuthenticateMessage; User password too long for LMv1 authentication.
	Brute force attempts increased to 3 of 5 in 4320 minutes.
	User brute force attempts increased to 2 of 20 in 240 minutes.
	Next clean available at 2/4/2026 12:48:14 AM
00:47:56.334 [redacted IP] IMAP NTLM; AuthenticateMessage; User password too long for LMv1 authentication [redacted data]
00:47:56.334 [redacted IP] IMAP NtlmAuthenticate False IDS counting for NTLM failures over IMAP at this IP is throttled.
00:47:57.258 [redacted IP] IMAP Attempting to login user: [redacted@alias-domain-redacted] <-- ALIAS DOMAIN
00:47:57.258 [redacted IP] IMAP Login successful: With user [redacted@redacted] <-- primary domain
00:47:57.643 [redacted IP] IMAP NTLM; AuthenticateMessage; User password too long for LMv1 authentication [redacted data]
00:47:57.644 [redacted IP] IMAP NtlmAuthenticate False IDS counting for NTLM failures over IMAP at this IP is throttled.
00:47:57.929 [redacted IP] IMAP NTLM; AuthenticateMessage; User password too long for LMv1 authentication [redacted data]
00:47:57.929 [redacted IP] IMAP NtlmAuthenticate False IDS counting for NTLM failures over IMAP at this IP is throttled.
00:47:58.874 [redacted IP] IMAP NTLM; AuthenticateMessage; User password too long for LMv1 authentication [redacted data]
00:47:58.874 [redacted IP] IMAP NtlmAuthenticate False IDS counting for NTLM failures over IMAP at this IP is throttled.
00:47:59.315 [redacted IP] IMAP NTLM; AuthenticateMessage; User password too long for LMv1 authentication [redacted data]
00:47:59.315 [redacted IP] IMAP NtlmAuthenticate False IDS counting for NTLM failures over IMAP at this IP is throttled.
MailEnable survivor / convert --
J
J. LaDow Replied
Today at 8:13 AM
Additionally, we are looking for information on disabling the NTLMv1 capabilities. They are already disabled on the server via registry and group policy, yet SM seems to still be accepting them. Please advise.
MailEnable survivor / convert --
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Key Feature and Version Milestones in SmarterMailSmarterMail
Google Safe Browsing Warning and SmarterMailSmarterMail > Troubleshooting
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting
Unexpected Sync Behavior with Outlook and IMAPSmarterMail > Troubleshooting
SmarterMail Server Performance TuningSmarterMail > Server Configuration and Management