Invalid Email Account Login Attempts

Discussion forum for Enterprise Edition.
PMad
Posts: 54
Joined: Thu Oct 18, 2012 6:19 pm

Re: Invalid Email Account Login Attempts

Post by PMad » Wed Jun 29, 2016 8:11 pm

rfwilliams777 wrote:MailEnable does block the IP address for up to 1 hour. Another way of doing it if it is the server is to use RDPGuard. Don't let the name fool you as it can block other forms of connections to the server. With this, you can set it up to block IP addresses for as long as you want before it auto dumps it.
Thanks for the response rfwilliams!

For whatever reason, MailEnable isn't blocking it at all... I was just looking at my logs and for 30 minutes non stop somebody from Vietnam was trying to break in with various usernames using one single IP address.

Is there anything built into Windows Server 2012 or MailEnable? I'd rather not have to purchase another product.

rfwilliams777
Posts: 1312
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Invalid Email Account Login Attempts

Post by rfwilliams777 » Wed Jun 29, 2016 8:37 pm

You can use the Windows firewall to block whatever port for whatever IP address or block of IP addresses. Just be careful that you enable what you want and have RDP and your mail server ports open or you will have problems quickly. Trust me...I know. :D
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

PMad
Posts: 54
Joined: Thu Oct 18, 2012 6:19 pm

Re: Invalid Email Account Login Attempts

Post by PMad » Tue Aug 23, 2016 10:35 pm

I believe it... For the last couple years i've been using MMC. I add the IP Security Policy Management snap-in and block IP's through there.

There's several problem with this:
1) It doesnt notify you if you are entering a duplicate. I dont see duplicates happening but if the filters were to fail for whatever reason, then duplicates would start showing and i'd start finding them and know that i need to find a patch to fix the issue or find a new solution.
2) The list isnt sortable. If i want to sort the list to look for a specific subnet that I consistently get attacked from, i cant. I use that information so that if i'm attacked by 10+ IP's in the same /24 subnet, i'll block that whole subnet.
3) There is no extra information beyond what i enter. For example, it doesnt log the date i entered everything so if i wanted that, i'd have to manually enter that in the description field, but i cant sort or filter by description to get rid of the older IP's that are likely no longer being used.
4) The window is small and hard to use. Because of the size, i can only see 4.5 IP addresses at once. So I have to slowly scroll down for what seems like forever because there's so many!
5) There are no rules. I wouldnt expect a free application to have rules but its just a perk that would be nice to have. Unblock IP's after X amount of time.
6) This is a completely manual process! Yes i would definitely prefer to have these IP's blocked from my server completely rather than just my email, but im sure the majority of my email attackers are trying strictly email.

I think what mailenable needs is to simply (i think its simple haha) enhance their current mechanism of blocking people after X amount of failed login attempts. What that is doing is blocking the user, not the IP. There should be an option for this. It should also block the IP address of somebody who fails to login X amount of times on X amount of accounts, because surely if somebody fails to login 10 times on 5 accounts, they are surely not a legitimate person. Its possible they could be, but again this would be an option an admin could enable or disable. I would personally enable it because 98% of my attackers would be blocked with it and zero of my users would be affected. My users would be more affected by forgetting their password and failing to login 3 times on the same account within 5 minutes.

One of the issues i have is that at least once a week, i cannot login to my own account because one of these hackers locked me out. I dont think they know if any of the logins they are using are legitimate or not (unless the classic trick of seeing a different login error for valid users vs invalid users is in play here) and thats why they spam hundreds of logins an hour on my server, locking out any of them that are legitimate, including mine, once a week. The option I proposed above would resolve this and even in addition to that feature, having an option to unlock any accounts that it has banned upon blocking that IP address would be a great feature too (as a toggleable option).

Post Reply