Blocked IPs

[malcolmhum]

Could you look at a central register for Blocked ip's so, if an ip gets add to the block for IMAP, it will apply to SMTP and so on.
It would also be good, if IP's could automatically get added to the block list rather than searching for them in the logs and manually adding them.

If I am being stupid and it already exists let me know.

Malcolm

[EKjellquist]

Do you happen to have a website or access to one where you can get at the HTML at all? If so, you can make use of the Spamtrap filter which can effectively auto-add spammer IPs to an internal list that applies to SMTP. All you really need to do is create 'fake' addresses and embed them anywhere online where ordinary users couldn't possibly get to them; then they get hoovered up by bots, and you can be highly confident that anything that sends a mail to that address is spam / malware-laden, and the server will auto-add the offending IP.

Now, that said, you MIGHT have to clean out the list every several months or years, as sooner or later an IP might get snagged that ultimately goes back in the pool and becomes a legit sender, but that's pretty rare.

[Code Crafters]

We currently have separate Blocked IPs per listening service as often the ones attacking your SMTP aren't accessing your POP3 / IMAP4 / WebMail. However, you can edit the .ini files directly to copy a list from one service to another which would probably be sufficient, depending how often you update this Blocked IPs. We will consider adding a General Settings blocked list for all too.

If you can elaborate on how IPs can be auto-added (i.e. what are the triggers?) then we can consider this too.

[malcolmhum]

Hi
Thanks for the response.
In the logs, you can see instances of the system doing a denial, but they are persistently trying. Below are examples from the SMTP log.
If the files could be searched for certain failed actions then applied automatically to the block lists. If you found that an IP had been blocked that you did not want blocking then you could add it to the white list and then it would be auto removed from the block. You could have either a common master list or by service.
Both examples are very common. The login ones they are not tripping the anti hammering anymore as they are maybe trying a login from different ip's every 10 minutes or so and just rotating around until they get lucky.

Wed, 01 Mar 2017 14:08:18 -> 182.75.243.62 -> Success: Action=[Accept Connection], Details=[Port 25]
Wed, 01 Mar 2017 14:08:18 -> 182.75.243.62 -> Success: Action=[Received Hello], Details=[Host=nsg-static-62.243.75.182-airtel.com]
Wed, 01 Mar 2017 14:08:18 -> 182.75.243.62 -> Success: Action=[Received Sender], Details=[abdi@ganindo.com]
Wed, 01 Mar 2017 14:08:19 -> 182.75.243.62 -> Failed: Action=[Received Recipient], Details=[colm@vmsecure.co.uk: Relaying not permitted.]
Wed, 01 Mar 2017 14:08:19 -> 182.75.243.62 -> Success: Action=[Close Connection]

Wed, 01 Mar 2017 14:42:36 -> 5.237.147.185 -> Success: Action=[Close Connection]
Wed, 01 Mar 2017 14:42:36 -> 5.237.147.185 -> Success: Action=[Accept Connection], Details=[Port 25]
Wed, 01 Mar 2017 14:42:36 -> 5.237.147.185 -> Success: Action=[Received Hello], Details=[Host=[192.168.1.2]]
Wed, 01 Mar 2017 14:42:36 -> 5.237.147.185 -> Success: Action=[Starting Login], Details=[LOGIN authentication.]
Wed, 01 Mar 2017 14:42:37 -> 5.237.147.185 -> Failed: Action=[Login], Details=[ace]
Wed, 01 Mar 2017 14:42:42 -> 5.237.147.185 -> Success: Action=[Close Connection

[Code Crafters]

If the IPs change then it's not possible to block the IPs as easily. We would still need more information on what is the trigger to look for to take any action with a block list / SPAM filter. We need something consistent like the same IP doing some action repeatedly as with anti-hammering to block the IP.