System Messages - Abuse detected

Discussion forum for Enterprise Edition.
Post Reply
Sitepoint
Posts: 17
Joined: Wed Oct 26, 2011 1:47 pm

System Messages - Abuse detected

Post by Sitepoint » Thu Feb 13, 2014 10:40 am

Hi there,

I get a lot of messages "Abuse detected".
When I double click, there is no useful information:

Message: Abuse detected from 212.18.213.23 by [POP]
Time: 13.02.2014 05:29:13
Severity: Critical
Postoffice:
Mailbox:


Status is always "critical". So I'm a bit worried.

What can I do about this issue? Any ideas?


best Regards


Tom

rfwilliams777
Posts: 1321
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: System Messages - Abuse detected

Post by rfwilliams777 » Sun Feb 16, 2014 2:03 am

Set up a rule in the firewall to block that IP address.
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

crittle1
Posts: 99
Joined: Sun Nov 10, 2013 10:01 pm

Re: System Messages - Abuse detected

Post by crittle1 » Sun Feb 16, 2014 4:03 am

Actually, see where the IP originates first. Sometimes a user will hit the interface too many times and it will show critical. I was doing some testing with my phone for users and was temporarily blocked by ME and showed in the abuse area. I cleared the alerts and it let me back but had I not checked first I would've blocked my cell carrier. Just FYI.

rfwilliams777
Posts: 1321
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: System Messages - Abuse detected

Post by rfwilliams777 » Sun Feb 16, 2014 4:13 am

Correct. So you can either blacklist if it is a true abuse or it could be a improperly set up account.
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

crittle1
Posts: 99
Joined: Sun Nov 10, 2013 10:01 pm

Re: System Messages - Abuse detected

Post by crittle1 » Mon Feb 17, 2014 2:45 am

Could you explain by improperly set up account? I just ask for my sake as I was installing and uninstalling profiles, actually a good 25 times in an hour which is what happened to me. I'm curious to see what else will put you on the list.

rfwilliams777
Posts: 1321
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: System Messages - Abuse detected

Post by rfwilliams777 » Mon Feb 17, 2014 3:08 am

Using the wrong password, wrong or incomplete user name.
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

Sitepoint
Posts: 17
Joined: Wed Oct 26, 2011 1:47 pm

Re: System Messages - Abuse detected

Post by Sitepoint » Mon Feb 17, 2014 9:09 am

But how can i figure out if it is a true attac? Postoffice and Mailbox Info is always empty.
And does abuse mean, that already something bad happened?

rfwilliams777
Posts: 1321
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: System Messages - Abuse detected

Post by rfwilliams777 » Mon Feb 17, 2014 2:15 pm

Abuse is a general statement that can mean a true attack or it can mean multiple account creations and talking to the server or it can mean an improper set up with too many attempts to log in.
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

crittle1
Posts: 99
Joined: Sun Nov 10, 2013 10:01 pm

Re: System Messages - Abuse detected

Post by crittle1 » Tue Feb 18, 2014 5:39 am

Sitepoint, probably just some IP research, that's what I do. Most of my attempted attacks come from IP addresses from other countries. I know for a fact my users don't live there so I block. If they live close to my area I just dismiss the IP from the panel. My phone carrier has pulled IP's from across the country before so I just do some research, that's your best bet in my opinion.

Thanks for the response rfwilliams777

dunc
Posts: 94
Joined: Mon Oct 24, 2005 11:05 pm
Location: Colorado, USA

Re: System Messages - Abuse detected

Post by dunc » Thu Aug 07, 2014 2:27 pm

A nice addition to ME would be to count the number of times that offending IP has triggered an abuse message, and show that count parenthetically next to the offending IP. e.g.

Value: Abuse detected from 80.117.25.71 by [SMTP] for root (132 times)

This would be a more useful message and the sysadmin could easily decide whether to add the IP to a firewall or SMTP block list.

Even more sweet would be to show:

Value: Abuse detected from 80.117.25.71 (Italy) by [SMTP] for root (132 times)

Or maybe somebody could handle this as a add-on?

dunc
Posts: 94
Joined: Mon Oct 24, 2005 11:05 pm
Location: Colorado, USA

Re: System Messages - Abuse detected

Post by dunc » Tue Mar 10, 2015 10:24 pm

rfwilliams - or anybody else - have a script that will auto block that IP from further attacks using Win Firewall?

Where are the offending IP addresses saved?

rfwilliams777
Posts: 1321
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: System Messages - Abuse detected

Post by rfwilliams777 » Tue Mar 10, 2015 11:37 pm

To block a port, I use RDPGuard. I also use the Windows firewall and close all ports except for those needed. Then ME takes care of those ports.
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

dunc
Posts: 94
Joined: Mon Oct 24, 2005 11:05 pm
Location: Colorado, USA

Re: System Messages - Abuse detected

Post by dunc » Wed Mar 11, 2015 1:04 am

I only have desired ports enabled. The issue is that the bad guys use ports 110, 25 and 587 to attempt multiple logins with guessed username/pw. These are trapped by ME, but I'd like to remove that resource drain. It would be more efficient if I can take those blocked IP's and auto-add them to a new Firewall Deny filter for the SMTP and POP3 ports.

dunc
Posts: 94
Joined: Mon Oct 24, 2005 11:05 pm
Location: Colorado, USA

Re: System Messages - Abuse detected

Post by dunc » Wed Mar 11, 2015 3:20 pm

I also note that my config/smtp-deny.tab file has a DLM way back in 2004 with just six IP address entries. None of these entries have been noted in any "abuse detected" emails received. I can only assume that although "abuse detected", that does not mean ME will deny any further login attempts.

Is there some documentation on how this actually works? If I know where I can look for abusive IP's, then I will write my own script.

ME Help - please reply!

MailEnable-Ian
Site Admin
Posts: 9227
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: System Messages - Abuse detected

Post by MailEnable-Ian » Thu Mar 12, 2015 6:03 am

Hi,

Perhaps review this thread first: http://forum.mailenable.com/viewtopic.php?f=4&t=27469
Regards,

Ian Margarone
MailEnable Support

Post Reply