SUMMARY

By default the abuse detection in MailEnable will block a maximum of 200 different IP addresses for an hour, if they try to authenticate incorrectly more than 10 times within an hour. It will ignore attempts where the same password is used, even if incorrect. This helps valid users being blocked if they have changed their password and a device they have is still trying to log in. Abuse detection keeps the list of IP addresses in memory, and it is service based, so a connection blocked for POP can still access SMTP. You can clear a blocked IP address in the administration program, under the SMTP Policies options, or wait long enough that there has been less than 10 attempts in the last hour (so a maximum time of an hour is needed).  If you restart the affected service it will clear all addresses. You are able to prevent an IP address from being blacklisted by entering it into the SMTP whitelist.

DETAIL

The following registry keys can be used to adjust these default values. The registry keys need to be added if they do not exist. The abuse intance threshold is the number of times abuse happens before the IP is blocked. The abuse instance maximum age option is the number of seconds to keep the block for. The blocks are per service, so someone abusing IMAP is not blocked from POP, and can only be cleared by waiting the hour or restarting the relevant service.

For 64bit Windows servers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable\Security]
"Abuse Instance Threshold"=dword:0000000a
"Abuse Instance Maximum Age"=dword:00000e10


For 32bit Windows servers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Security]
"Abuse Instance Threshold"=dword:0000000a
"Abuse Instance Maximum Age"=dword:00000e10