IDS Blocks
System administrators can use this section to review all IP addresses that have been blocked by the mail server as a result of any IDS (abuse detection) rules that have been configured in SmarterMail's Security area. As a result of these rules, SmarterMail will monitor the server and keep track of all IP addresses that are currently being blocked for SMTP, IMAP, POP, LDAP, XMPP, Webmail or for potential email harvesting abuse. System administrators can view a list of blocked IPs by abuse type or view all blocked connections at one time.
The following information is displayed for each block:
- Source - The IP address that tripped the IDS rule. NOTE: The use of VPNs and proxies mean that the Source of the intrusion may not be the actual origination of the intrusion.
- Time Left - The time remaining for the specific block. When setting up IDS rules, system administrators can attach time limits for each type of block. Time Left offers a countdown timer based on what is set by the system administrator.
- Country - The country of origin for the Source IP.
- Type - The type of intrusion detection rule that was triggered.
- Action - The action taken against the IP address. For example, whether it's blocked or blacklisted.
- Rule Description - The description of the Rule Type as provided by the system administrator when the Rule was created.
- Blocks in 30 Days - The number of times a particular source has triggered an IDS rule in the previous 30 days.
System administrators can remove the selected Source IP(s) from the list by selecting the IP(s) and selecting Unblock from the Actions (⋮) menu. However, this does not affect the abuse detection rule that blocked the IP in the first place; it only removes the block from the IP or range. If the system administrator feels the block is warranted, and should be enforced past the Time Left, they can Blacklist the IP.
Blacklisting an Entire Class C
Generally, a single IP will trip a specific IDS rule. However, if that IP address is from a problematic locale, system administrators can decide to blacklist the entire Class C range for the specific IP address that was blocked. In order to do this, simply select the IP address then select Blacklist from the Actions (⋮) menu. (Alternatively, you can right-click on an IP address and select "Blacklist" from the context menu.) A modal will appear and the system administrator can manually toggle the block for the entire Class C or simply elect to blacklist the single IP address. NOTE: At least ONE IP address from a range is required in order to blacklist an entire Class C.