Yet, this IP:
http://whois.domaintools.com/87.23.150.148
Was temporarily blocked by ME Ent 9 for the second time in as many days for doing SMTP dictionary attacks. Neither of the accounts this IP tried actually exists - which I think is also the problem. GeoIP seems to work for existing accounts but not for non-existing ones. By implication then, it is only a question of time before this IP will figure out an existing account and then only a question of time for it to break the password even when the IP is not allow to even connect to ME. Below we can see how the above IP is allowed to try passwords again and again, even though the mailbox it is trying does not actually exist and the default domain / postoffice is set not to allow the IP above.
Logically what should happen is that ME should allow the connection and the moment it has a mailbox username, it should check the AuthPolicy from the localhost to the PostOffice to the Mailbox and ensure the IP is allowed to even attempt an authentication and the connection immediately cut as a consequence. A second attempt at a password should not be allowed, nor should it be allowed to continue on and on until the IP is temporarily blocked as a result of a localhost Policy violation? The whole idea behind GeoIP is to stop the attack earlier than having even 10 passwords tested. Below the attack could and should have been stopped after line 3 - you have the IP, the password and mailbox and the IP could therefore have been blocked already. As it was, the attack lasted several minutes before it was finally stopped for a policy violation instead of being stopped by GeoIP.
In fact, if ME was smart enough, it could have merge cached all the GeoIP conditions from all postoffices together and therefore know beforehand which IPs are allowed and which not, thereby it could prevent a auth.connection before it even started. E.g. if all the GeoIP conditions of all the postoffices together read to only allow AU and say US IPs, then why even allow an IP from NZ (even if you don't know the username/mailbox yet)? It wastes time and resources to indulge the IP a connection any further.
Code: Select all
09/14/15 10:30:26 SMTP-IN BC0F3D2030EC4E07BD1A939B1B791F2B.MAI 2344 87.23.150.148 220 mail ESMTP MailEnable Service, Version: 9.00--9.00 ready at 09/14/15 10:30:25 0 0
09/14/15 10:30:26 SMTP-IN BC0F3D2030EC4E07BD1A939B1B791F2B.MAI 2344 87.23.150.148 EHLO EHLO ylmf-pc 250-mail [87.23.150.148], this server offers 6 extensions 175 14
09/14/15 10:30:26 SMTP-IN BC0F3D2030EC4E07BD1A939B1B791F2B.MAI 2344 87.23.150.148 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
09/14/15 10:30:27 SMTP-IN BC0F3D2030EC4E07BD1A939B1B791F2B.MAI 2344 87.23.150.148 AUTH {blank} 334 UGFzc3dvcmQ6 18 22 administracion
09/14/15 10:30:27 SMTP-IN BC0F3D2030EC4E07BD1A939B1B791F2B.MAI 2344 87.23.150.148 AUTH YWRtaW5pc3RyYWNpb24= 504 Invalid Username or Password 34 22 administracion
09/14/15 10:30:28 SMTP-IN 407EDA06626B4D8080188CD81E76A8DE.MAI 2416 87.23.150.148 220 scibit ESMTP MailEnable Service, Version: 9.00--9.00 ready at 09/14/15 10:30:28 0 0
09/14/15 10:30:28 SMTP-IN 407EDA06626B4D8080188CD81E76A8DE.MAI 2416 87.23.150.148 EHLO EHLO ylmf-pc 250-mail [87.23.150.148], this server offers 6 extensions 175 14
09/14/15 10:30:29 SMTP-IN 407EDA06626B4D8080188CD81E76A8DE.MAI 2416 87.23.150.148 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
09/14/15 10:30:29 SMTP-IN 407EDA06626B4D8080188CD81E76A8DE.MAI 2416 87.23.150.148 AUTH {blank} 334 UGFzc3dvcmQ6 18 22 administracion
09/14/15 10:30:29 SMTP-IN 407EDA06626B4D8080188CD81E76A8DE.MAI 2416 87.23.150.148 AUTH YWRtaW5pc3RyYWNpb24xMjM= 504 Invalid Username or Password 34 26 administracion