ME020610 - HOWTO: Changing abuse detection times


SUMMARY

By default the abuse detection in MailEnable will block a maximum of 200 different IP addresses for an hour, if they try to authenticate incorrectly more than 10 times within an hour. Abuse detection keeps the list of IP addresses in memory, and it is service based, so a connection blocked for POP can still access SMTP. The only way to clear a blocked IP address is to either restart the affected service, or wait long enough that there has been less than 10 attempts in the last hour (so a maximum time of an hour is needed). You are able to prevent an IP address from being blacklisted by entering it into the SMTP whitelist.

DETAIL

The following registry keys can be used to adjust these default values. The registry keys need to be added if they do not exist. The abuse intance threshold is the number of times abuse happens before the IP is blocked. The abuse instance maximum age option is the number of seconds to keep the block for. The blocks are per service, so someone abusing IMAP is not blocked from POP, and can only be cleared by waiting the hour or restarting the relevant service.

For 64bit Windows servers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable\Security]
"Abuse Instance Threshold"=dword:0000000a
"Abuse Instance Maximum Age"=dword:00000e10


For 32bit Windows servers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Security]
"Abuse Instance Threshold"=dword:0000000a
"Abuse Instance Maximum Age"=dword:00000e10



Product:MailEnable (Pro-4.X Pro-5.X Pro-6.X Ent-4.X Ent-5.X Ent-6.X)
Category:Other
Module:General
Keywords:abuse detection lockup block IP
Class:HOWTO: Product Instructions
Revised:Wednesday, May 4, 2016
Author:
Publisher:MailEnable