IDS Rules
Through the use of SmarterMail's intrusion detection system (IDS), there are several methods for preventing abuse and denial of service (DoS) attacks on your mail server. For example, IDS rules (also known as abuse detection rules) can be configured to monitor a variety of activity on the mail server, including the number of connections coming from a single IP address, the number of messages sent within a specific timeframe, the number of login attempts and more. These rules allow SmarterMail to alert system administrators of suspicious behavior or take action to prevent the attack.
NOTE: IDS Rules will not block local IPs. If the IP address is in one of the following formats, it will not be blocked:
- 10.*.*.*
- 172.16.*.* - 172.31.*.*
- 192.168.*.*
IDS Rules Overview
By default, SmarterMail offers several rules that are pre-configured upon installation and cover every protocol available. These rules cover the most common types of attacks against a mail server and include a Denial of Service rule, password brute force protection by email address and by IP, and password retrieval brute force protection. The following details can be seen for each entry in the list:
- Type - The type of Abuse Detection rule configured: Denial of Service (DoS), Bad SMTP Sessions (Harvesting), Internal Spammer, Password Brute Force by Protocol or Bounces Indicate Spammer.
- Action - The action to be taken when the rule is triggered.
- Time Frame - The period of time, in minutes, that is examined to determine if the rule's action should be triggered.
- Threshold - The threshold that is examined to determine if the rule's action should be triggered. For example, the number of messages sent, the number of connections made from an IP address, the number of bounce messages received, etc.
- Block Time - The time frame, in minutes, in which the IP address will be blocked. (NOTE: If a notification email is sent, then this setting is ignored as a Block does not occur.)
- Description - A friendly name or brief description of the rule.
IDS Rules
To create a new Abuse Detection rule, click the New button. When adding or editing an entry, the following configuration settings will be available, based on the Detection Type chosen:
Denial of Service (DoS)
Too many connections from a single IP address can indicate a Denial of Service (DoS) attack. Enable this option to block IPs that are connecting too often to the server. It is recommended that you whitelist any trusted IP addresses that may send out large mailing lists or make many connections if you enable this option.
- Time Frame (Minutes) - The period of time, in minutes, that is examined to determine if an IP address should be blocked. Too many connections in this period of time, and a block will be initiated.
- Connections Before Block - The number of connections before a block is placed. It is common for several connections to be open at once from an IP address. Set this to a relatively high value so that you can catch DoS attacks while not impacting legitimate customers.
- Block Time (Minutes) - The number of minutes that a block will be placed once an IP address hits the threshold.
- Description - A friendly name or brief description of the rule.
Password Brute Force by IP
Many times, hackers will attempt to "guess" a users' passwords by sending different variations of common passwords, to one or more users, in an attempt to log in to an account. This is considered a "brute force" attack. These requests can come from one IP address, or many.
- Time Frame (Minutes) - The period of time, in minutes, that is examined to determine if an IP address should be blocked. Too many connections in this period of time, and a block will be initiated.
- Logins Before Block by IP - The number of login attempts before a block is placed. Set this to a relatively high value so that you can catch DoS attacks while not impacting legitimate customers.
- Block Time (Minutes) - The number of minutes that a block will be placed once an IP address hits the threshold.
- Description - A friendly name or brief description of the rule.
Password Brute Force by Email
A common ploy by spammers and hackers is attempting to guess passwords for a particular user, especially a "generic" account like contact@, though it could be for an often-used public account for a particular user, like a company CEO or other executive. Many times this entails continual log in attempts to that account using different passwords, each a bit different from the one before it, thereby attempting to "brute force" the password.
- Time Frame - The period of time, in minutes, that is examined to determine if a login attempt is a brute force attempt. Too many connections in this period of time, and a block will be initiated.
- Logins Before Block by Email - The number of failed login attempts before the IP is blocked.
- Block Time (Minutes) - The number of minutes that a block will be placed once an IP address hits the threshold.
- Description - A friendly name or brief description of the rule.
Password Retrieval Brute Force
Another common type of attack is by spamming a "Forgot Password" link. Oftentimes, these types of password resets don't have proper security techniques in place to disallow generic email addresses from being used as a recovery address. SmarterMail, however, is "smarter", after all, so this type of attack is prone to failure. That doesn't keep spammers from trying, however. System administrators can also avoid this type of attack by either not allowing users to reset their own passwords or by using Active Directory authentication whenever possible.
- Time Frame - The period of time, in minutes, that is examined to determine if a password retrieval is a brute force attempt. Too many connections in this period of time, and a block will be initiated.
- Password Recoveries Before Block - The number of failed password recovery attempts before the IP is blocked.
- Block Time (Minutes) - The number of minutes that a block will be placed once an IP address hits the threshold.
- Description - A friendly name or brief description of the rule.
Bad SMTP Sessions (Harvesting)
A bad session is any connection that ends without successfully sending a message. Many bad sessions usually indicate spamming or email harvesting. Leaving all of these options set to 0 (zero) will disable this type of abuse detection. Note: It is recommended that you whitelist any trusted IP addresses that may send out large mailing lists if you enable this option.
- Time Frame - The period of time, in minutes, that is examined to determine if an IP address should be blocked. Too many bad sessions in this period of time, and a block will be initiated.
- Bad Sessions Before Block - The number of bad sessions before a block is placed. A few bad sessions happen once in a while, for instance when a person sends an email to a user that does not exist. It is not these people that you are targeting, but rather those that are attempting to compromise or harass your customers.
- Block Time (Minutes) - The number of minutes that a block will be placed once an IP address hits the threshold.
- Description - A friendly name or brief description of the rule.
Internal Spammer
Enabling this rule in SmarterMail will block or quarantine a user from sending mail, as well as alert an administrator, whenever multiple emails from a single sender are delivered externally from the server during a specified time frame.
- Action - Choose whether to have a notification appear in the interface, block messages from the sender, or quarantine messages from the sender. NOTE: If system administrators prefer to have an email sent, a System Event should be created (Security category -> IDS Rule Triggered event type).
- Time Frame - The period of time, in minutes, that is examined to determine if the rule triggers. Too many emails from a single sender in this period of time, and the email notification is sent and the Action chosen is performed.
- Messages Before Notify - After this many messages are delivered within the time period specified, the email notification is sent and the Action chosen is performed.
- Block Time (Minutes) - The number of minutes that a block will be placed once an IP address hits the threshold. (NOTE: If a notification email is sent, then this setting is ignored as a Block does not occur.)
- Notify Email - The email address of the administrator to which the notification will be sent.
- Description - A friendly name or brief description of the rule.
Bounces Indicate Spammer
Enabling this rule in SmarterMail will block or quarantine a user from sending out mail, as well as alert an administrator, after receiving a certain number of bounce messages in the specified time frame.
- Action - Choose whether to have a notification appear in the interface, block messages from the sender, or quarantine messages from the sender. NOTE: If system administrators prefer to have an email sent, a System Event should be created (Security category -> IDS Rule Triggered event type).
- Time Frame - The period of time, in minutes, that is examined to determine if the rule triggers. Too many emails from a single sender in this period of time, and the email notification is sent and the Action chosen is performed.
- Bounce Threshold - After this many bounce messages are received within the time period specified, the email notification is sent and the Action chosen is performed.
- Block Time (Minutes) - The number of minutes that a block will be placed once an IP address hits the threshold. (NOTE: If a notification email is sent, then this setting is ignored as a Block does not occur.)
- Notify Email - The email address of the administrator to which the notification will be sent.
- Description - A friendly name or brief description of the rule.
Resetting IDS Rules to Their Defaults
If, for whatever reason, your rules get out of whack or you feel they need to be re-configured, it's easy to reset them back to their "factory defaults". Simply select Reset IDS Rules from the Actions (⋮) dropdown. When you do, all existing rules are replaced with the default configuration that's available upon fresh installation of SmarterMail. It's then possible to start re-configuring as needed.
Importing/Exporting Settings
One of the primary reasons SmarterMail is so popular is that it's very easy for a system administrator to manage. Not only is SmarterMail's administration all web-based, many of the functions available for administrators can be exported from one machine and imported into another SmarterMail installation. This makes it easy for administrators to have a consistent set of security settings, antispam settings, and more across all of the SmarterMail servers in use. The options for importing or exporting IDS rules are available from the Actions (⋮) dropdown.
When exporting your rules, the settings are saved as a JSON file to the location specified in File Explorer. When importing files, a modal window opens and the corresponding JSON file can be dragged-and-dropped right in the modal or the file can be selected using File Explorer.