Ban IP That Repeatedly Tries To Relay Spam

fbmaxwell
Posts: 24
Joined: Mon Apr 14, 2014 3:52 pm

Ban IP That Repeatedly Tries To Relay Spam

Postby fbmaxwell » Tue May 20, 2014 9:09 pm

It's frustrating to see pages of log files with one spam relay attempt after another, sometimes for hours at a time, all from the same IP address.

Provide a means of automatically adding an IP address to the banned IP address list after some number of unauthenticated relay attempts within some time period -- hopefully configurable to something like three attempts in 15 minutes, 5 attempts in 40 minutes, etc.

MailEnable-Ian
Site Admin
Posts: 8389
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Ban IP That Repeatedly Tries To Relay Spam

Postby MailEnable-Ian » Wed May 21, 2014 1:22 am

Hi,

http://www.mailenable.com/documentation/8.0/Enterprise/Localhost_-_Policies.html - "Abuse detection and prevention" option.
Regards,

Ian Margarone
MailEnable Support

fbmaxwell
Posts: 24
Joined: Mon Apr 14, 2014 3:52 pm

Re: Ban IP That Repeatedly Tries To Relay Spam

Postby fbmaxwell » Mon May 26, 2014 7:02 am

Hello Ian,

The description of that fearure is "IP addresses will be blocked if they are incorrectly authenticating" and "(eg: password dictionary attacks)."

In the case I'm talking about, the spammer is trying to relay without attempting to authenticate at all (no SMTP AUTH command). Does it address problems like this?

Note: Actual e-mail addresses from log file replaced with "{non-local e-mail address}" in order to prevent harvesting by spammers.

Code: Select all

05/23/14 07:26:21   SMTP-IN   07EB4438A3A1454E8745AD596751BB34.MAI   740   90.222.153.183   MAIL   MAIL FROM: <{non-local e-mail address}>   250 Requested mail action okay, completed   43   44   
05/23/14 07:26:22   SMTP-IN   07EB4438A3A1454E8745AD596751BB34.MAI   740   90.222.153.183   RCPT   RCPT TO: <{non-local e-mail address}>   503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server.   235   30   
05/23/14 07:28:12   SMTP-IN   AC8E6BD8062C45ABAAE741CD41FAC4F7.MAI   728   90.222.153.183         220 {my mail server name} ESMTP Service Ready   0   0   
05/23/14 07:28:12   SMTP-IN   AC8E6BD8062C45ABAAE741CD41FAC4F7.MAI   728   90.222.153.183   EHLO   EHLO 5ade99b7.bb.sky.com   250- {my mail server name} [90.222.153.183], this server offers 4 extensions   123   26   
05/23/14 07:28:12   SMTP-IN   AC8E6BD8062C45ABAAE741CD41FAC4F7.MAI   728   90.222.153.183   MAIL   MAIL FROM: <{non-local e-mail address}>   250 Requested mail action okay, completed   43   42   
05/23/14 07:28:12   SMTP-IN   AC8E6BD8062C45ABAAE741CD41FAC4F7.MAI   728   90.222.153.183   RCPT   RCPT TO: <{non-local e-mail address}>   503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server.   235   30   

05/23/14 07:29:47   SMTP-IN   D24F0763ECCC475EAAD2635DDC145469.MAI   188   90.222.153.183         220  {my mail server name} ESMTP Service Ready   0   0   
05/23/14 07:29:47   SMTP-IN   D24F0763ECCC475EAAD2635DDC145469.MAI   188   90.222.153.183   EHLO   EHLO 5ade99b7.bb.sky.com   250- {my mail server name} [90.222.153.183], this server offers 4 extensions   123   26   
05/23/14 07:29:47   SMTP-IN   D24F0763ECCC475EAAD2635DDC145469.MAI   188   90.222.153.183   MAIL   MAIL FROM: <{non-local e-mail address}>   250 Requested mail action okay, completed   43   47   
05/23/14 07:29:47   SMTP-IN   D24F0763ECCC475EAAD2635DDC145469.MAI   188   90.222.153.183   RCPT   RCPT TO: <{non-local e-mail address}>   503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server.   235   37   

05/23/14 07:34:50   SMTP-IN   5D1832530A2E4DF5A337D6ECCAF3829D.MAI   688   90.222.153.183         220  {my mail server name} ESMTP Service Ready   0   0   
05/23/14 07:34:51   SMTP-IN   5D1832530A2E4DF5A337D6ECCAF3829D.MAI   688   90.222.153.183   EHLO   EHLO 5ade99b7.bb.sky.com   250- {my mail server name} [90.222.153.183], this server offers 4 extensions   123   26   
05/23/14 07:34:51   SMTP-IN   5D1832530A2E4DF5A337D6ECCAF3829D.MAI   688   90.222.153.183   MAIL   MAIL FROM: <{non-local e-mail address}>   250 Requested mail action okay, completed   43   53   
05/23/14 07:34:51   SMTP-IN   5D1832530A2E4DF5A337D6ECCAF3829D.MAI   688   90.222.153.183   RCPT   RCPT TO: <{non-local e-mail address}>   503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server.   235   31   


Thanks.

-- Fred

MailEnable-Ian
Site Admin
Posts: 8389
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Ban IP That Repeatedly Tries To Relay Spam

Postby MailEnable-Ian » Tue May 27, 2014 2:49 am

Hi,

The abuse detection and prevention option will not ban the IP for invalid 503 attempts. Since the spammer is not able to relay the only way to stop these connections from hitting the MailEnable server would be to implement a spam gateway that has the ability to detect these types of attacks as MailEnable does not have the ability to stop these types of harvesting attacks.
Regards,

Ian Margarone
MailEnable Support

fbmaxwell
Posts: 24
Joined: Mon Apr 14, 2014 3:52 pm

Re: Ban IP That Repeatedly Tries To Relay Spam

Postby fbmaxwell » Tue May 27, 2014 2:43 pm

Ian,

Thanks for your reply. So, I'm going to go back to my original request:

Provide a means of automatically adding an IP address to the banned IP address list after some number of unauthenticated relay attempts within some time period -- hopefully configurable to something like three attempts in 15 minutes, 5 attempts in 40 minutes, etc.

That would solve the problem. Spammer tries a few relay attempts. Spammer's IP is added to the blocked IP address list. SMTP server stops being available to spammer. Log file stops filling up.

time299
Posts: 7
Joined: Wed Apr 09, 2014 7:18 am

Re: Ban IP That Repeatedly Tries To Relay Spam

Postby time299 » Sat Jun 21, 2014 1:26 am

I would like to see this added in a future release as well.
+1 Vote from me.

AlDo
Posts: 27
Joined: Sun Aug 27, 2006 2:24 pm

Re: Ban IP That Repeatedly Tries To Relay Spam

Postby AlDo » Wed Dec 16, 2015 7:37 am

It would be very useful.
+6 as I manage 6 Mailenable servers :)

Who is online

Users browsing this forum: Baidu [Spider] and 2 guests