Ban IP That Repeatedly Tries To Relay Spam

Post your MailEnable suggestions here.
Post Reply
fbmaxwell
Posts: 24
Joined: Mon Apr 14, 2014 3:52 pm

Ban IP That Repeatedly Tries To Relay Spam

Post by fbmaxwell » Tue May 20, 2014 9:09 pm

It's frustrating to see pages of log files with one spam relay attempt after another, sometimes for hours at a time, all from the same IP address.

Provide a means of automatically adding an IP address to the banned IP address list after some number of unauthenticated relay attempts within some time period -- hopefully configurable to something like three attempts in 15 minutes, 5 attempts in 40 minutes, etc.

MailEnable-Ian
Site Admin
Posts: 9321
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Ban IP That Repeatedly Tries To Relay Spam

Post by MailEnable-Ian » Wed May 21, 2014 1:22 am

Hi,

http://www.mailenable.com/documentation ... icies.html - "Abuse detection and prevention" option.
Regards,

Ian Margarone
MailEnable Support

fbmaxwell
Posts: 24
Joined: Mon Apr 14, 2014 3:52 pm

Re: Ban IP That Repeatedly Tries To Relay Spam

Post by fbmaxwell » Mon May 26, 2014 7:02 am

Hello Ian,

The description of that fearure is "IP addresses will be blocked if they are incorrectly authenticating" and "(eg: password dictionary attacks)."

In the case I'm talking about, the spammer is trying to relay without attempting to authenticate at all (no SMTP AUTH command). Does it address problems like this?

Note: Actual e-mail addresses from log file replaced with "{non-local e-mail address}" in order to prevent harvesting by spammers.

Code: Select all

05/23/14 07:26:21	SMTP-IN	07EB4438A3A1454E8745AD596751BB34.MAI	740	90.222.153.183	MAIL	MAIL FROM: <{non-local e-mail address}>	250 Requested mail action okay, completed	43	44	
05/23/14 07:26:22	SMTP-IN	07EB4438A3A1454E8745AD596751BB34.MAI	740	90.222.153.183	RCPT	RCPT TO: <{non-local e-mail address}>	503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server.	235	30	
05/23/14 07:28:12	SMTP-IN	AC8E6BD8062C45ABAAE741CD41FAC4F7.MAI	728	90.222.153.183			220 {my mail server name} ESMTP Service Ready	0	0	
05/23/14 07:28:12	SMTP-IN	AC8E6BD8062C45ABAAE741CD41FAC4F7.MAI	728	90.222.153.183	EHLO	EHLO 5ade99b7.bb.sky.com	250- {my mail server name} [90.222.153.183], this server offers 4 extensions	123	26	
05/23/14 07:28:12	SMTP-IN	AC8E6BD8062C45ABAAE741CD41FAC4F7.MAI	728	90.222.153.183	MAIL	MAIL FROM: <{non-local e-mail address}>	250 Requested mail action okay, completed	43	42	
05/23/14 07:28:12	SMTP-IN	AC8E6BD8062C45ABAAE741CD41FAC4F7.MAI	728	90.222.153.183	RCPT	RCPT TO: <{non-local e-mail address}>	503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server.	235	30	

05/23/14 07:29:47	SMTP-IN	D24F0763ECCC475EAAD2635DDC145469.MAI	188	90.222.153.183			220  {my mail server name} ESMTP Service Ready	0	0	
05/23/14 07:29:47	SMTP-IN	D24F0763ECCC475EAAD2635DDC145469.MAI	188	90.222.153.183	EHLO	EHLO 5ade99b7.bb.sky.com	250- {my mail server name} [90.222.153.183], this server offers 4 extensions	123	26	
05/23/14 07:29:47	SMTP-IN	D24F0763ECCC475EAAD2635DDC145469.MAI	188	90.222.153.183	MAIL	MAIL FROM: <{non-local e-mail address}>	250 Requested mail action okay, completed	43	47	
05/23/14 07:29:47	SMTP-IN	D24F0763ECCC475EAAD2635DDC145469.MAI	188	90.222.153.183	RCPT	RCPT TO: <{non-local e-mail address}>	503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server.	235	37	

05/23/14 07:34:50	SMTP-IN	5D1832530A2E4DF5A337D6ECCAF3829D.MAI	688	90.222.153.183			220  {my mail server name} ESMTP Service Ready	0	0	
05/23/14 07:34:51	SMTP-IN	5D1832530A2E4DF5A337D6ECCAF3829D.MAI	688	90.222.153.183	EHLO	EHLO 5ade99b7.bb.sky.com	250- {my mail server name} [90.222.153.183], this server offers 4 extensions	123	26	
05/23/14 07:34:51	SMTP-IN	5D1832530A2E4DF5A337D6ECCAF3829D.MAI	688	90.222.153.183	MAIL	MAIL FROM: <{non-local e-mail address}>	250 Requested mail action okay, completed	43	53	
05/23/14 07:34:51	SMTP-IN	5D1832530A2E4DF5A337D6ECCAF3829D.MAI	688	90.222.153.183	RCPT	RCPT TO: <{non-local e-mail address}>	503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server.	235	31	
Thanks.

-- Fred

MailEnable-Ian
Site Admin
Posts: 9321
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Ban IP That Repeatedly Tries To Relay Spam

Post by MailEnable-Ian » Tue May 27, 2014 2:49 am

Hi,

The abuse detection and prevention option will not ban the IP for invalid 503 attempts. Since the spammer is not able to relay the only way to stop these connections from hitting the MailEnable server would be to implement a spam gateway that has the ability to detect these types of attacks as MailEnable does not have the ability to stop these types of harvesting attacks.
Regards,

Ian Margarone
MailEnable Support

fbmaxwell
Posts: 24
Joined: Mon Apr 14, 2014 3:52 pm

Re: Ban IP That Repeatedly Tries To Relay Spam

Post by fbmaxwell » Tue May 27, 2014 2:43 pm

Ian,

Thanks for your reply. So, I'm going to go back to my original request:

Provide a means of automatically adding an IP address to the banned IP address list after some number of unauthenticated relay attempts within some time period -- hopefully configurable to something like three attempts in 15 minutes, 5 attempts in 40 minutes, etc.

That would solve the problem. Spammer tries a few relay attempts. Spammer's IP is added to the blocked IP address list. SMTP server stops being available to spammer. Log file stops filling up.

time299
Posts: 7
Joined: Wed Apr 09, 2014 7:18 am

Re: Ban IP That Repeatedly Tries To Relay Spam

Post by time299 » Sat Jun 21, 2014 1:26 am

I would like to see this added in a future release as well.
+1 Vote from me.

AlDo
Posts: 27
Joined: Sun Aug 27, 2006 2:24 pm

Re: Ban IP That Repeatedly Tries To Relay Spam

Post by AlDo » Wed Dec 16, 2015 7:37 am

It would be very useful.
+6 as I manage 6 Mailenable servers :)

Post Reply