Over time, I'm seeing a pattern change in how hackers/botnets seem to behave, and it's largely evading what's been a pretty consistent set of antispam controls in AMS. Largely for spam mails, the included controls are already pretty sufficient; what I'm seeing a lot more of is attempts to login, and there's need to improve the toolset.
In the before-time, it used to be the same IPs that would hammer my server, or the same subnets, so repeated attempts by the same IP in short amounts of time were very common. More recently, there will be flurries of login attempts every few minutes by ranges of IPs such that the same IP doesn't try to brute force that often, bypassing a lot of the built-in tools. I have extended the anti-hammering 'remembering' buffer, but I think we need a few robust additions; I've used IPBan for some time with AMS with some success, but even there, the tools aren't quite as efficient as they could be.
Some suggestions for updates:
(1) allow an insta-ban of any unknown username, either domain-by-domain or across the server
Plenty of logins attempt unknown or bad addresses, and any failed attempt from an IP should be able to be banned immediately. Having an option to ban for X period of time and/or permanently would be helpful.
(2) allow bans of repeated username logins regardless of IP
These spurts of login attempts often come from several different IPs in a row using the same username or email address. I'd like to ban for X period of time and/or permanently when a failed login attempt for any known username occurs from X different IPs in Y amount of time. For my server, I would ban upon 2 failed login attempts from 2 or more different IPs w/i an hour of each other, as that's very very rarely ever going to occur.
(3) geo-banning
A useful part of IPBan is being able to instaban from IPs from certain countries; I'm never going to have people logging in from countries like Russia / China / etc. and it would be nice to cut out botnet IPs from a list of countries users are never going to be visiting
(4) third-party APIs
https://ipthreat.net for example is a list of submitted bad IPs not just for spamming but other bad-actor activities; if we could utilize lists like that that for logins the same way we can use Real-Time Blacklisting (or be able to use those APIs in RBL settings), that would help cut down a LOT of the chaff
(5) Add login check to the SpamTrap filter
currently AFAIK spamtrap email addresses will only trigger if an email is sent to them; it'd be nice to (a) be able to trigger on a login attempt using that address as well
Additional anti-spam options
4 posts • Page 1 of 1
Additional anti-spam options
by EKjellquist » Thu Oct 03, 2024 7:09 pm
- EKjellquist
- Posts: 96
- Joined: Tue Sep 09, 2014 10:40 pm
Re: Additional anti-spam options
by Code Crafters » Fri Oct 04, 2024 8:24 am
Thanks for your suggestions.
1. Anti-Hammering already allows blocking a single IP based on a number of failed login attempts within a period of time. You can just set the Max Failed Login Attempts for Angi-hammering in General settings to 1 to do this.
2. If you wanted to relax the example in point 1 by allowing more than 1 failed attempt but building accross several IPs, this could be done, but I'd imagin blocking after 1 failed attempt would be an adequate solution here too.
3. If we can find a reliable way of identifying countries from IP, we could add a new SPAM feature for this. We'd have to research it more. VPNs could still be used to mask IPs as coming from elsewhere though.
4. We'll look into ipthreat to see if it can be used by the existing RBLs feature in the future.
5. Again, I think this can be covered by Anti-Hammering. There is an option in General Settings -> Advanced which allows you to require all logins to be full email addresses rather than the default of usernames or email addresses; enabling this may help achieve what you're after.
In summary, points 3 and 4 are ones that we definitely don't support currently and would like to explore more. Please reply to debate the other points further if you wish though.
We're also working on finishing DKIM / DMARC right now and are be planning to have a new major release with these included in the next month or so. Hopefully, these will also help cut down SPAM. SPF controls which IPs can send for a domain, DKIM ensures that an email is digitally signed to authenticate the origin and also prevent modificiation of emails in transit. Testing will prove whether it's possible to be able to require all senders to have SPF and/or DKIM setup for mail to be accepted at all. Big email providers like Gmail and Yahoo are already requiring one or both of these to be accepted since February 2024. It is our hope that this will provide a very powerful SPAM prevention platform going forward.
1. Anti-Hammering already allows blocking a single IP based on a number of failed login attempts within a period of time. You can just set the Max Failed Login Attempts for Angi-hammering in General settings to 1 to do this.
2. If you wanted to relax the example in point 1 by allowing more than 1 failed attempt but building accross several IPs, this could be done, but I'd imagin blocking after 1 failed attempt would be an adequate solution here too.
3. If we can find a reliable way of identifying countries from IP, we could add a new SPAM feature for this. We'd have to research it more. VPNs could still be used to mask IPs as coming from elsewhere though.
4. We'll look into ipthreat to see if it can be used by the existing RBLs feature in the future.
5. Again, I think this can be covered by Anti-Hammering. There is an option in General Settings -> Advanced which allows you to require all logins to be full email addresses rather than the default of usernames or email addresses; enabling this may help achieve what you're after.
In summary, points 3 and 4 are ones that we definitely don't support currently and would like to explore more. Please reply to debate the other points further if you wish though.
We're also working on finishing DKIM / DMARC right now and are be planning to have a new major release with these included in the next month or so. Hopefully, these will also help cut down SPAM. SPF controls which IPs can send for a domain, DKIM ensures that an email is digitally signed to authenticate the origin and also prevent modificiation of emails in transit. Testing will prove whether it's possible to be able to require all senders to have SPF and/or DKIM setup for mail to be accepted at all. Big email providers like Gmail and Yahoo are already requiring one or both of these to be accepted since February 2024. It is our hope that this will provide a very powerful SPAM prevention platform going forward.
- Code Crafters
- Posts: 943
- Joined: Mon Sep 10, 2007 2:35 pm
Re: Additional anti-spam options
by EKjellquist » Wed Oct 09, 2024 6:24 pm
Blocking a single IP can be useful, but in my experience over the last 5-10 years, that's not how logins are being attempted; when we started with AMS in the mid-2000's, it WAS often the same IPs or the same subnet in short bursts, but that doesn't happen anymore. Now, you have much larger botnets using huge arrays of IPs all over the world, and anti-hammering as it works now doesn't really help much other than brute-force from a single IP. I have the memory time extended out to an entire 24 hours and it still barely catches much. I COULD put the threshold to 1, though there's a greater likelihood of actual-user bans, albeit very few users are logging in outside of mail apps that have saved credentials.
imo Geo-bans are worth it; we use IPBan for protecting various other services like RDC, and it easily identifies PTRs that are definitely in a specific country; most of the bad login attempts were from Russia/China and blocking them from logins cut out 90% of attempts, which still holds nearly a year later. VPNs CAN get around this, but in my experience, the malicious operators we're seeing aren't doing it that way.
Even if we had a feature to insta-ban any IP from a login attempt for a non-existing user, it'll really only work for so long until the more sophisticated operators eventually whittle down to the remaining known users, but it would still help. imo if a checkbox could be added to anti-hammering for something like 'trigger on unknown username', that would still help a lot.
imo Geo-bans are worth it; we use IPBan for protecting various other services like RDC, and it easily identifies PTRs that are definitely in a specific country; most of the bad login attempts were from Russia/China and blocking them from logins cut out 90% of attempts, which still holds nearly a year later. VPNs CAN get around this, but in my experience, the malicious operators we're seeing aren't doing it that way.
Even if we had a feature to insta-ban any IP from a login attempt for a non-existing user, it'll really only work for so long until the more sophisticated operators eventually whittle down to the remaining known users, but it would still help. imo if a checkbox could be added to anti-hammering for something like 'trigger on unknown username', that would still help a lot.
- EKjellquist
- Posts: 96
- Joined: Tue Sep 09, 2014 10:40 pm
Re: Additional anti-spam options
by Code Crafters » Thu Oct 10, 2024 9:26 am
Thanks for the feedback. We've added your feature requests to our list to be considered further in future updates.
- Code Crafters
- Posts: 943
- Joined: Mon Sep 10, 2007 2:35 pm
4 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 2 guests