Blocked IPs

Blocked IPs

Postby malcolmhum » Thu Feb 23, 2017 6:48 pm

Could you look at a central register for Blocked ip's so, if an ip gets add to the block for IMAP, it will apply to SMTP and so on.
It would also be good, if IP's could automatically get added to the block list rather than searching for them in the logs and manually adding them.

If I am being stupid and it already exists let me know.

Malcolm
malcolmhum
 
Posts: 27
Joined: Thu Jan 07, 2010 9:27 am

Re: Blocked IPs

Postby EKjellquist » Fri Feb 24, 2017 8:07 pm

Do you happen to have a website or access to one where you can get at the HTML at all? If so, you can make use of the Spamtrap filter which can effectively auto-add spammer IPs to an internal list that applies to SMTP. All you really need to do is create 'fake' addresses and embed them anywhere online where ordinary users couldn't possibly get to them; then they get hoovered up by bots, and you can be highly confident that anything that sends a mail to that address is spam / malware-laden, and the server will auto-add the offending IP.

Now, that said, you MIGHT have to clean out the list every several months or years, as sooner or later an IP might get snagged that ultimately goes back in the pool and becomes a legit sender, but that's pretty rare.
EKjellquist
 
Posts: 89
Joined: Tue Sep 09, 2014 10:40 pm

Re: Blocked IPs

Postby Code Crafters » Mon Feb 27, 2017 10:28 am

We currently have separate Blocked IPs per listening service as often the ones attacking your SMTP aren't accessing your POP3 / IMAP4 / WebMail. However, you can edit the .ini files directly to copy a list from one service to another which would probably be sufficient, depending how often you update this Blocked IPs. We will consider adding a General Settings blocked list for all too.

If you can elaborate on how IPs can be auto-added (i.e. what are the triggers?) then we can consider this too.
Code Crafters
 
Posts: 933
Joined: Mon Sep 10, 2007 2:35 pm

Re: Blocked IPs

Postby malcolmhum » Wed Mar 01, 2017 5:11 pm

Hi
Thanks for the response.
In the logs, you can see instances of the system doing a denial, but they are persistently trying. Below are examples from the SMTP log.
If the files could be searched for certain failed actions then applied automatically to the block lists. If you found that an IP had been blocked that you did not want blocking then you could add it to the white list and then it would be auto removed from the block. You could have either a common master list or by service.
Both examples are very common. The login ones they are not tripping the anti hammering anymore as they are maybe trying a login from different ip's every 10 minutes or so and just rotating around until they get lucky.

Wed, 01 Mar 2017 14:08:18 -> 182.75.243.62 -> Success: Action=[Accept Connection], Details=[Port 25]
Wed, 01 Mar 2017 14:08:18 -> 182.75.243.62 -> Success: Action=[Received Hello], Details=[Host=nsg-static-62.243.75.182-airtel.com]
Wed, 01 Mar 2017 14:08:18 -> 182.75.243.62 -> Success: Action=[Received Sender], Details=[abdi@ganindo.com]
Wed, 01 Mar 2017 14:08:19 -> 182.75.243.62 -> Failed: Action=[Received Recipient], Details=[colm@vmsecure.co.uk: Relaying not permitted.]
Wed, 01 Mar 2017 14:08:19 -> 182.75.243.62 -> Success: Action=[Close Connection]

Wed, 01 Mar 2017 14:42:36 -> 5.237.147.185 -> Success: Action=[Close Connection]
Wed, 01 Mar 2017 14:42:36 -> 5.237.147.185 -> Success: Action=[Accept Connection], Details=[Port 25]
Wed, 01 Mar 2017 14:42:36 -> 5.237.147.185 -> Success: Action=[Received Hello], Details=[Host=[192.168.1.2]]
Wed, 01 Mar 2017 14:42:36 -> 5.237.147.185 -> Success: Action=[Starting Login], Details=[LOGIN authentication.]
Wed, 01 Mar 2017 14:42:37 -> 5.237.147.185 -> Failed: Action=[Login], Details=[ace]
Wed, 01 Mar 2017 14:42:42 -> 5.237.147.185 -> Success: Action=[Close Connection
malcolmhum
 
Posts: 27
Joined: Thu Jan 07, 2010 9:27 am

Re: Blocked IPs

Postby Code Crafters » Fri Mar 03, 2017 11:22 am

If the IPs change then it's not possible to block the IPs as easily. We would still need more information on what is the trigger to look for to take any action with a block list / SPAM filter. We need something consistent like the same IP doing some action repeatedly as with anti-hammering to block the IP.
Code Crafters
 
Posts: 933
Joined: Mon Sep 10, 2007 2:35 pm


Return to General

Who is online

Users browsing this forum: Google [Bot] and 2 guests

cron