I know these issues have come up a million times but i've yet to find an answer in any of those threads or anywhere else. Before i go any further, here's a snippet of the SMTP activity log that is in question (i've changed my domain to local.server in the log, i've also taken out the long name for what i believe is the filename and left the .MAI to help reduce clutter and have added spaces in between each new connection to make it more readable):
So in total there is over 500 connection attempts from this IP address, all within a pretty short period of time. They have tried to login with MANY different accounts. They are clearly using a brute force dictionary attack, one username at a time, one password at a time. After they go through their list of usernames and the first password they repeat the list with new passwords for each account. The end result is that they lock out all accounts they've tried that are valid, and thats it. One of those accounts happens to be mine. I'm locked out multiple times a day from my own server. Just about every time i want to check my mail, i have to go unlock my account first.
11/30/16 01:20:03 SMTP-IN .MAI 1812 72.92.83.210 220 local.server ESMTP MailEnable Service, Version: 9.51--9.51 ready at 11/30/16 01:20:03 0 0
11/30/16 01:20:04 SMTP-IN .MAI 1812 72.92.83.210 EHLO EHLO 192.168.0.90 250-local.server [72.92.83.210], this server offers 7 extensions 181 19
11/30/16 01:20:04 SMTP-IN .MAI 1812 72.92.83.210 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
11/30/16 01:20:05 SMTP-IN .MAI 1812 72.92.83.210 AUTH {blank} 334 UGFzc3dvcmQ6 18 14 customers
11/30/16 01:20:05 SMTP-IN .MAI 1812 72.92.83.210 AUTH MTIz 535 Invalid Username or Password 34 6 customers
11/30/16 01:20:06 SMTP-IN .MAI 1784 72.92.83.210 220 local.server ESMTP MailEnable Service, Version: 9.51--9.51 ready at 11/30/16 01:20:06 0 0
11/30/16 01:20:07 SMTP-IN .MAI 1784 72.92.83.210 EHLO EHLO 192.168.0.141 250-local.server [72.92.83.210], this server offers 7 extensions 181 20
11/30/16 01:20:07 SMTP-IN .MAI 1784 72.92.83.210 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
11/30/16 01:20:08 SMTP-IN .MAI 1784 72.92.83.210 AUTH {blank} 334 UGFzc3dvcmQ6 18 22 administrator
11/30/16 01:20:08 SMTP-IN .MAI 1784 72.92.83.210 AUTH MTIz 535 Invalid Username or Password 34 6 administrator
11/30/16 01:20:09 SMTP-IN .MAI 1564 72.92.83.210 220 local.server ESMTP MailEnable Service, Version: 9.51--9.51 ready at 11/30/16 01:20:09 0 0
11/30/16 01:20:09 SMTP-IN .MAI 1564 72.92.83.210 EHLO EHLO 192.168.0.63 250-local.server [72.92.83.210], this server offers 7 extensions 181 19
11/30/16 01:20:10 SMTP-IN .MAI 1564 72.92.83.210 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
11/30/16 01:20:11 SMTP-IN .MAI 1564 72.92.83.210 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 test
11/30/16 01:20:11 SMTP-IN .MAI 1564 72.92.83.210 AUTH MTIz 535 Invalid Username or Password 34 6 test
11/30/16 01:20:12 SMTP-IN .MAI 1132 72.92.83.210 220 local.server ESMTP MailEnable Service, Version: 9.51--9.51 ready at 11/30/16 01:20:12 0 0
11/30/16 01:20:12 SMTP-IN .MAI 1132 72.92.83.210 EHLO EHLO 192.168.0.29 250-local.server [72.92.83.210], this server offers 7 extensions 181 19
11/30/16 01:20:13 SMTP-IN .MAI 1132 72.92.83.210 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
11/30/16 01:20:14 SMTP-IN .MAI 1132 72.92.83.210 AUTH {blank} 334 UGFzc3dvcmQ6 18 18 postmaster
11/30/16 01:20:14 SMTP-IN .MAI 1132 72.92.83.210 AUTH MTIz 535 Invalid Username or Password 34 6 postmaster
11/30/16 01:20:15 SMTP-IN .MAI 1708 72.92.83.210 220 local.server ESMTP MailEnable Service, Version: 9.51--9.51 ready at 11/30/16 01:20:14 0 0
11/30/16 01:20:15 SMTP-IN .MAI 1708 72.92.83.210 EHLO EHLO 192.168.0.216 250-local.server [72.92.83.210], this server offers 7 extensions 181 20
11/30/16 01:20:16 SMTP-IN .MAI 1708 72.92.83.210 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
11/30/16 01:20:17 SMTP-IN .MAI 1708 72.92.83.210 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 admin
11/30/16 01:20:17 SMTP-IN .MAI 1708 72.92.83.210 AUTH MTIz 535 Invalid Username or Password 34 6 admin
Here are the concerns;
1) In my SMTP settings, connection dropping is on and set to 4 failed attempts. Now the commands i see are valid but the setting also refers to recipients, should MailEnable add login users to this as well so that if an IP fails to login with X amount (in my case 4) of user accounts they are added to the denied IP list?
2) In the localhost settings under policies, "Enable Abuse Detection and Prevention" is turned on. The option specifies password dictionary attacks which is exactly whats happening, yet i have over 500 failed attempts on 100 accounts in just a few minutes from the same IP address and they are still connecting and trying more accounts later from the same IP, and the next day from the same IP. Is this feature broken? I have had this issue since MailEnable 6.
3) On the same screen as #2, i have enabled the setting to lock out a user for one hour after 4 failed login attempts. Is this setting by username or IP address? And is there a way to see a list of locked out users (whether actual accounts or not)? My assumption is that this goes by username and not IP because of the mass amounts of attempts i see.
For each issue above, is it possible to have options/features added to make these filters more flexible? I believe that spam and security are the two biggest issues that email servers have, and i'm feeling like MailEnable has been a bit inadequate on these types of options. It doesnt help either that these options are spread all over the place either, but it makes complete sense that they are located where they are at.
I currently have a list that i've been managing for years that has over 5000 IP addresses on it that i've manually added day after day, blocking the IP addresses of those spamming my server. I know this list is almost entirely useless, and likely every IP address on that list that is older than a few days should be removed, but i've been manually going through the logs and blocking the IP addresses of each person using dictionary attacks in the MMC snap in called "IP Security Policies on Local Computer" because there are no other options within MailEnable to stop these attackers. 98% of my logs are filled with these failed login attempts. Every few page down's i'll see a few lines for an email that has come in or a legitimate login or something but its page after page after page of failed login attempts. What can I do?