SmarterMail 12.x Help

Abuse Detection

SmarterMail has several methods of preventing abuse and denial of service (DoS) attacks. The ones that can be configured are explained below. Any number of detection methods can be added.

To view the configurable abuse detection settings, click the security icon. Then expand the Advanced Settings folder and click Abouse Detection in the navigation pane. A list of abuse detection rules will load in the content pane and the following options will be available in the content pane toolbar:

  • New - Creates a new abuse detection rule.
  • Edit - Edits the selected abuse detection rule.
  • Delete - Permanently deletes the selected abuse detection rule(s).

To create a new abuse detection rule, click New in the content pane toolbar. The abuse detection settings will load in the content pane and the following options will be available:

Denial of Service (DoS) Prevention - Too many connections from a single IP address can indicate a Denial of Service (DoS) attack. Enable this option to block IPs that are connecting too often to the server. It is recommended that you whitelist any trusted IP addresses that may send out large mailing lists or make many connections if you enable this option.

  • Service - Select the service that will be monitored for this type of attack (POP/SMTP/IMAP/XMPP/LDAP).
  • Time Frame - The period of time in the past that is examined to determine if an IP address should be blocked. Too many connections in this period of time, and a block will be initiated.
  • Connections Before Block - The number of connections before a block is placed. It is common for several connections to be open at once from an IP address. Set this to a relatively high value so that you can catch DoS attacks while not impacting legitimate customers.
  • Time to Block - The number of minutes that a block will be placed once an IP hits the threshold.
  • Description - A friendly name or brief description of the rule.

Bad SMTP Sessions (Email Harvesting) - A bad session is any connection that ends without successfully sending a message. Many bad sessions usually indicate spamming or email harvesting. Leaving all of these options set to 0 (zero) will disable this type of abuse detection. It is recommended that you whitelist any trusted IP addresses that may send out large mailing lists if you enable this option.

  • Time Frame - The period of time in the past that is examined to determine if an IP address should be blocked. Too many bad sessions in this period of time, and a block will be initiated.
  • Bad Sessions Before Block - The number of bad sessions before a block is placed. A few bad sessions happen once in a while, for instance when a person sends an email to an email account that does not exist. It is not these people that you are targetting, but rather those that are attempting to compromise or harass your customers.
  • Time to Block - The number of minutes that a block will be placed once an IP hits the threshold.
  • Description - A friendly name or brief description of the rule.

Internal Spammer Detection and Notification - Enabling this feature in SmarterMail will alert an administrator whenever a multiple emails are received on the server of the same size.

  • Time Frame - The period of time in the past that is examined to determine if an alert should be sent. Too many duplicate emails in this period of time, and an alert will be sent.
  • Messages Before Notify - After this many duplicate messages are received within the time period specified, the email notification is sent.
  • Email to Notify - The administrator account to which the notification will be sent.
  • Description - A friendly name or brief description of the rule.

Password Brute Force by Protocol - A common ploy by spammers and hackers is attempting to guess passwords for users. Many times this entails continual log in attempts to an account using different passwords, each a bit different than the one before it. This thereby brute forcing the password.

  • Service - Select the service that will be monitored for this type of attack (POP/SMTP/IMAP/XMPP/LDAP).
  • Time Frame - The period of time in the past that is examined to determine if an log in attempt is a brute force attempt. Too many connections in this period of time, and a block will be initiated.
  • Connections Before Block - The number of failed log in attempts before the IP is blocked.
  • Time to Block - The number of minutes that a block will be placed once an IP hits the threshold.
  • Description - A friendly name or brief description of the rule.