ME Pro 8.65 not auto-blocking IP addresses

Discussions on webmail and the Professional version.
Post Reply
merk
Posts: 423
Joined: Sun Oct 12, 2003 2:50 pm

ME Pro 8.65 not auto-blocking IP addresses

Post by merk » Fri Jan 22, 2021 9:43 am

I have me set to autoblock an IP if there are more then 3 failed attempts, but it doesn't seem to be doing this. I was setting up a new server that's not live yet. But some spammer has already found it and has been constantly trying to find a valid login for the server. And none of the IP's are being added to the block list. All of it is coming from 45.142.120.*

It's been going on for at least 2 months, so they must have cycled through all 256 available IP's. But there wasn't a single entry in the smt-deny list.
Is there a limit to that list? Because there was about 12,000 entries in it. I just deleted them all and figured I'd let it start over fresh.

Also, i believe this has been running as the free version since I haven't transferred the license over from the old server yet. So I'm not sure if that feature is something only active in the pro version.

For now I just manually added 45.142.120.* to just block them all.

I also just checked, and it looks like the IP range is listed on spamhaus. So shouldn't the server be auto-rejecting them based on that as well? The log file is just showing them constantly trying to authenticate and the authentication fails.

MailEnable-Ian
Site Admin
Posts: 9372
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: ME Pro 8.65 not auto-blocking IP addresses

Post by MailEnable-Ian » Mon Feb 01, 2021 1:28 am

Hi,

I have checked this in the latest version of MailEnable 8.65 and it works and adds the IP address to the SMTP-DENY after exceeding the "Connection Dropping" value. You should see in the SMTP debug log file a line like like the following "Unauthenticated IP address 192.x.x.x banned for too many invalid commands". Also ensure that the option under "Connection Dropping" for "Add to denied IP addresses if this number is reached" is ticked.
Regards,

Ian Margarone
MailEnable Support

merk
Posts: 423
Joined: Sun Oct 12, 2003 2:50 pm

Re: ME Pro 8.65 not auto-blocking IP addresses

Post by merk » Mon Feb 01, 2021 2:13 am

Hi,

So under connection dropping it's set to 3, and the checkbox is checked to auto-add the IP address.

Looking at the smtp log from yesterday, i find an Ip address 176.111.173.15 repeatedly (way more than 3 times) connecting to the server and attempting to authenticate and failing. So it is not blocking the IP address. Does it only block them if they fail 3 times on the same connection?

And i realize the 8.x version of ME is an old version, but I'd like to offer a suggestion for something to add (assuming it's not already in the latest version) - give the option to automatically block the first connection if it attempts to authenticate with a user account that does not exist. Very unlikely a legit user will log in with the wrong user.

MailEnable-Ian
Site Admin
Posts: 9372
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: ME Pro 8.65 not auto-blocking IP addresses

Post by MailEnable-Ian » Mon Feb 01, 2021 2:27 am

Hi,
Does it only block them if they fail 3 times on the same connection?
Correct.
Regards,

Ian Margarone
MailEnable Support

merk
Posts: 423
Joined: Sun Oct 12, 2003 2:50 pm

Re: ME Pro 8.65 not auto-blocking IP addresses

Post by merk » Mon Feb 01, 2021 2:36 am

Ahhh... Is there a way to block them not on the same connection? A lot of them try once and then try again in a few seconds or minutes later.

MailEnable-Ian
Site Admin
Posts: 9372
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: ME Pro 8.65 not auto-blocking IP addresses

Post by MailEnable-Ian » Mon Feb 01, 2021 2:40 am

Hi,

No you would need to lower the "Connection Dropping" value.
Regards,

Ian Margarone
MailEnable Support

merk
Posts: 423
Joined: Sun Oct 12, 2003 2:50 pm

Re: ME Pro 8.65 not auto-blocking IP addresses

Post by merk » Mon Feb 01, 2021 2:45 am

Hmm, that makes that feature not that useful then. It means if a legit user used a wrong password once, they'd get blocked. Although I guess most people are using a saved login so typing in a wrong password might only come into play if they use webmail. I guess I'll try setting it to 1 and see if any users complain.

Thanks

MailEnable-Ian
Site Admin
Posts: 9372
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: ME Pro 8.65 not auto-blocking IP addresses

Post by MailEnable-Ian » Mon Feb 01, 2021 2:57 am

Hi,

Or you could disable "Connection Dropping" and rely on the "Abuse detection and prevention" option instead.

https://www.mailenable.com/documentation/8.0/Professional/Localhost_-_Policies.html
IP addresses will be blocked if they are incorrectly authenticating. Blocked IP addresses will be held in cache memory for hour. In order to release the blocked IP's from memory the respective needs to be restarted.
Regards,

Ian Margarone
MailEnable Support

merk
Posts: 423
Joined: Sun Oct 12, 2003 2:50 pm

Re: ME Pro 8.65 not auto-blocking IP addresses

Post by merk » Mon Feb 01, 2021 3:35 am

sounds like that should do what i want.

Thank you

Post Reply