Background:
I get a lot of SMTP connections from compromised or malicious sources, whose IPs are often on a public blocklist. I'm sure everyone does.
-
Problem:
If they fail repeatedly to authenticate they are temporarily blocked. I see no way for me to upgrade such a block to permanent except manually?
So what happens is that the block expires and they get another x attempts to authenticate before being blocked again. This allows them to explore valid email addresses, since the error is different if the password is incorrect or the email does not exist.
_
Suggestion 1:
Each time a temporary IP block is imposed, I would like it to be either
a) automatically upgraded to permanent after n temp blocks, or
b) escalate the block duration (e.g. double it on each occasion, and clear it down after a good long time)
(or both!)
_
Suggestion 2:
Ideally I would prefer a public blocklist check on the inbound IP to take place _before_ they even get as far as attempting to authenticate.
I don't want to give blocklisted IPs an opportunity to _attempt_ SMTP authentication (since that allows them to perform a dictionary attack - which we can see happening in the logs).
-
And if in the meantime anyone knows a way to configure IP blocking more effectively than I have managed so far, please do let me know how??
-
Thank you ME for your consideration of this.
SMTP - public IP block list b4 connection / escalate temp IP blocks
-
- Posts: 16
- Joined: Fri Mar 18, 2022 9:48 am
- Location: UK
Re: SMTP - public IP block list b4 connection / escalate temp IP blocks
We have some security features in our upstream hardware firewall, but they can also be mapped via a virtual firewall, where there are various blacklists that are used.
We also have a virus scanner on the ME server.
In the ESET logs, I see a few IPs that actually get through the firewall, but these are then blocked by the ESET firewall.
Due to this cascading, I have about 5-10 IP addresses per month that are then temporarily blocked by the Mailenable service.
Of these 5-10, 50% are customers who actually use the wrong password....
So I have 2-5 IPs that actually still get through to the ME service and are probably dangerous.
If necessary, I can tell you my manufacturer but not publicly in the forum (private message).
-----
But it would actually be a nice feature if the temporary blocklist would not work per account but on the global server and yes I am aware of the dangers and support tickets dadruch!
But it would be nice if every ME administrator had this security option!
It would also be good if the ME error message would be identical in case of an incorrect login (wrong or non-existent mail address or wrong PW).
We also have a virus scanner on the ME server.
In the ESET logs, I see a few IPs that actually get through the firewall, but these are then blocked by the ESET firewall.
Due to this cascading, I have about 5-10 IP addresses per month that are then temporarily blocked by the Mailenable service.
Of these 5-10, 50% are customers who actually use the wrong password....
So I have 2-5 IPs that actually still get through to the ME service and are probably dangerous.
If necessary, I can tell you my manufacturer but not publicly in the forum (private message).
-----
But it would actually be a nice feature if the temporary blocklist would not work per account but on the global server and yes I am aware of the dangers and support tickets dadruch!
But it would be nice if every ME administrator had this security option!
It would also be good if the ME error message would be identical in case of an incorrect login (wrong or non-existent mail address or wrong PW).
-
- Posts: 16
- Joined: Fri Mar 18, 2022 9:48 am
- Location: UK
Re: SMTP - public IP block list b4 connection / escalate temp IP blocks
Thank you RSN for your suggestion about hardware blocking.
We too have a firewall with blocking capabilities, but only manually entered ones, I am not able to link it to a public blocklist service. I guess I could upgrade the FW. But I would rather have all the blocks configured in one place, for ease of monitoring and management.
We too have a firewall with blocking capabilities, but only manually entered ones, I am not able to link it to a public blocklist service. I guess I could upgrade the FW. But I would rather have all the blocks configured in one place, for ease of monitoring and management.
-
- Posts: 16
- Joined: Fri Mar 18, 2022 9:48 am
- Location: UK
Re: SMTP - public IP block list b4 connection / escalate temp IP blocks
Bump.
Could this please be considered by ME developers? See my original suggestions above?
We continue to have difficulty with malicious SMTP inbound connections (with IPs listed on public blocklists) attempting to authenticate, or checking out mailbox addresses, or sending spam - all of which should be blocked by stopping them from even connecting.
Even my suggestion 1 - of escalating temporary blocks would be a massive improvement in security. But suggestion 2 would be ideal.
Please at least comment?
Could this please be considered by ME developers? See my original suggestions above?
We continue to have difficulty with malicious SMTP inbound connections (with IPs listed on public blocklists) attempting to authenticate, or checking out mailbox addresses, or sending spam - all of which should be blocked by stopping them from even connecting.
Even my suggestion 1 - of escalating temporary blocks would be a massive improvement in security. But suggestion 2 would be ideal.
Please at least comment?
-
- Posts: 16
- Joined: Fri Mar 18, 2022 9:48 am
- Location: UK
Re: SMTP - public IP block list b4 connection / escalate temp IP blocks
Bump again
--
Should I assume that there is nobody home?
Or that you simply don't care about your customers enough to respond even with just an acknowledgment?
I realise that fixing bugs is important, which you do some of, but security enhancements are pretty vital too, and this is a genuine issue I'd like your reaction to.
--
I can't help wonder if this is an Aus IT business culture thing? The only other Aus software house that I deal with professionally is equally unresponsive / dismissive. Giving support to customers seems to be regarded as a chargeable special privilege and a profit centre, not an obligation and an opportunity for improvement and enhanced reputation. If I ignored my customers, I simply wouldn't have a business.
--
Should I assume that there is nobody home?
Or that you simply don't care about your customers enough to respond even with just an acknowledgment?
I realise that fixing bugs is important, which you do some of, but security enhancements are pretty vital too, and this is a genuine issue I'd like your reaction to.
--
I can't help wonder if this is an Aus IT business culture thing? The only other Aus software house that I deal with professionally is equally unresponsive / dismissive. Giving support to customers seems to be regarded as a chargeable special privilege and a profit centre, not an obligation and an opportunity for improvement and enhanced reputation. If I ignored my customers, I simply wouldn't have a business.