Invalid Email Account Login Attempts

Discussion forum for Enterprise Edition.
PMad
Posts: 60
Joined: Thu Oct 18, 2012 6:19 pm

Re: Invalid Email Account Login Attempts

Post by PMad »

rfwilliams777 wrote:MailEnable does block the IP address for up to 1 hour. Another way of doing it if it is the server is to use RDPGuard. Don't let the name fool you as it can block other forms of connections to the server. With this, you can set it up to block IP addresses for as long as you want before it auto dumps it.
Thanks for the response rfwilliams!

For whatever reason, MailEnable isn't blocking it at all... I was just looking at my logs and for 30 minutes non stop somebody from Vietnam was trying to break in with various usernames using one single IP address.

Is there anything built into Windows Server 2012 or MailEnable? I'd rather not have to purchase another product.

rfwilliams777
Posts: 1370
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Invalid Email Account Login Attempts

Post by rfwilliams777 »

You can use the Windows firewall to block whatever port for whatever IP address or block of IP addresses. Just be careful that you enable what you want and have RDP and your mail server ports open or you will have problems quickly. Trust me...I know. :D
Robert Williams, Owner
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!

PMad
Posts: 60
Joined: Thu Oct 18, 2012 6:19 pm

Re: Invalid Email Account Login Attempts

Post by PMad »

I believe it... For the last couple years i've been using MMC. I add the IP Security Policy Management snap-in and block IP's through there.

There's several problem with this:
1) It doesnt notify you if you are entering a duplicate. I dont see duplicates happening but if the filters were to fail for whatever reason, then duplicates would start showing and i'd start finding them and know that i need to find a patch to fix the issue or find a new solution.
2) The list isnt sortable. If i want to sort the list to look for a specific subnet that I consistently get attacked from, i cant. I use that information so that if i'm attacked by 10+ IP's in the same /24 subnet, i'll block that whole subnet.
3) There is no extra information beyond what i enter. For example, it doesnt log the date i entered everything so if i wanted that, i'd have to manually enter that in the description field, but i cant sort or filter by description to get rid of the older IP's that are likely no longer being used.
4) The window is small and hard to use. Because of the size, i can only see 4.5 IP addresses at once. So I have to slowly scroll down for what seems like forever because there's so many!
5) There are no rules. I wouldnt expect a free application to have rules but its just a perk that would be nice to have. Unblock IP's after X amount of time.
6) This is a completely manual process! Yes i would definitely prefer to have these IP's blocked from my server completely rather than just my email, but im sure the majority of my email attackers are trying strictly email.

I think what mailenable needs is to simply (i think its simple haha) enhance their current mechanism of blocking people after X amount of failed login attempts. What that is doing is blocking the user, not the IP. There should be an option for this. It should also block the IP address of somebody who fails to login X amount of times on X amount of accounts, because surely if somebody fails to login 10 times on 5 accounts, they are surely not a legitimate person. Its possible they could be, but again this would be an option an admin could enable or disable. I would personally enable it because 98% of my attackers would be blocked with it and zero of my users would be affected. My users would be more affected by forgetting their password and failing to login 3 times on the same account within 5 minutes.

One of the issues i have is that at least once a week, i cannot login to my own account because one of these hackers locked me out. I dont think they know if any of the logins they are using are legitimate or not (unless the classic trick of seeing a different login error for valid users vs invalid users is in play here) and thats why they spam hundreds of logins an hour on my server, locking out any of them that are legitimate, including mine, once a week. The option I proposed above would resolve this and even in addition to that feature, having an option to unlock any accounts that it has banned upon blocking that IP address would be a great feature too (as a toggleable option).

scottri
Posts: 6
Joined: Sun Jul 20, 2008 5:45 am
Location: USA

Re: Invalid Email Account Login Attempts

Post by scottri »

Love this idea, simple and would easily give more control for blocking hammering attempts. Currently using Enable abuse detection and prevention option under localhost Policies.

Ref: https://www.mailenable.com/documentation/10.0/Enterprise/Localhost_-_Policies.html

dcol
Posts: 237
Joined: Fri May 26, 2017 11:25 pm

Re: Invalid Email Account Login Attempts

Post by dcol »

There is a mechanism available to block the IP after so many failed attempts. Problem with that is the sender already, in my case, plowed through 500 or so names and gets a response to every one. Then the spammer takes any found legit addresses and spams on a different IP. What needs to be done is after so many failed attempts, 550 responses, disconnect the sender and also block the IP.

I tried to accomplish this using an External script in Advanced SMTP Settings, but the function ME_RCPT() is useless since it doesn't accept any code.
ME_MAIL() works, so it must be an ME bug. I did report it to ME support.

Admin
Site Admin
Posts: 1127
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Re: Invalid Email Account Login Attempts

Post by Admin »

Hi,

It should have dropped the connection if it reaches your set limit for connection blocking. The scripts cannot drop a connection, they only change the response. If it is not dropping the connection when the limit is reached then it is something we are not aware of - I have tested this and it works. So possibly your support contact can help further to see why the limit is not being hit.

dcol
Posts: 237
Joined: Fri May 26, 2017 11:25 pm

Re: Invalid Email Account Login Attempts

Post by dcol »

Support just ignored the ultimate question of why after the limit is reached, the connection is allowed to complete all the RCPT commands.

This looks like a 'cart before the horse' scenario. Support said the function RCPT is not executed because it would not compete because of the limit restriction which happens because of the RCPT command, So that means the connection dropping happens after all the RCPT commands, which is too late and gives the spammer the info they seek, Harvesting for valid emails. This is a logic bug.

I have even tried removing the limit restriction and I still cannot execute any ME_RCPT() functions. They are ignored.

Philb
Posts: 50
Joined: Fri Jul 25, 2003 11:02 pm
Location: Sydney, NSW, Australia

Re: Invalid Email Account Login Attempts

Post by Philb »

When a friend and I had these attacks, I was able to see that the client "pipelines" RCPT commands without waiting for the server's 250-PIPELINING response. It seems as though ME doesn't detect this unauthorized pipelining and accepts all the RCPT commands.

dcol, I sent you a PM

dcol
Posts: 237
Joined: Fri May 26, 2017 11:25 pm

Re: Invalid Email Account Login Attempts

Post by dcol »

Philb, you hit the nail on the head. ME doesn't detect the RCPT pipelining. They should. This is a common practice now for harvesting.

Admin
Site Admin
Posts: 1127
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Re: Invalid Email Account Login Attempts

Post by Admin »

MailEnable does not support the pipelining SMTP extension. If you mean if you just stream in the rcpt commands it will still count them and drop the connection.

Philb
Posts: 50
Joined: Fri Jul 25, 2003 11:02 pm
Location: Sydney, NSW, Australia

Re: Invalid Email Account Login Attempts

Post by Philb »

Admin wrote:
Wed Jun 07, 2023 6:54 am
MailEnable does not support the pipelining SMTP extension.
RFC 2920 SMTP for Command Pipelining September 2000

1. Introduction
.
This memo uses the mechanism described in [RFC-1869] to define an
extension to the SMTP service whereby an SMTP server can declare that
it is capable of handling pipelined commands. The SMTP client can
then check for this declaration and use pipelining only when the
server declares itself capable of handling it. [Emphasis added]

Given the use of pipelining by spammers/harvesters/bots, unauthorised use should result in rejection of the email and disconnection of the offending client.

Post Reply