|
| | | Forum Newbie
Group: Forum Members
Last Login: 6/26/2008 12:07:52 PM
Posts: 1, Visits: 5 |
| running the latest Imail version, 10.00
Several clients have called saying they can receive email, but they can't send out email. (all their PCs typically appear as the same IP address via their firewall or router.) After investigating, we find that their IP address got into the Control Access list for various reasons (like they set up a new workstation and forgot to set "my smtp server requires authentication." Therefore, that one mistake causes all of their users on that shared IP to be denied access.
That's fine, but the problem is that even if they correct their problem, they remain in the Control Access list forever.
After going through this with several clients, I cleared the Control Access list. Later, I checked the log for a new "max errors exceeded" event so I could monitor how long the blocked address stayed in the control access list. Below are relevant log entries.
06:19 12:35 SMTPD(8ac6019300000c9c) [189.156.142.216] max errors exceeded, address will be denied future connections for 5 minutes
06:19 12:47 SMTPD(8d9d01be00001536) Denied access from 189.156.142.216
It seems that the “Minutes To Deny Access” is not honored in Dictionary Attack Settings. The above IP address should have been removed after 5 minutes according to my settings. The "denied access" is already 12 minutes later...
My settings are:
Dictionary Attack Settings
Max Invalid Recipients Per Session: 3
Soft Error Limits: 3
Hard Error Limit: 2
Minutes To Deny Access: 5
Error Delay Seconds: 10
Am I missing something? Anyone else experiencing this?
Best Regards
Mike Higgins
H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone: +1 201 934-3414 x14 (Business)
Fax: +1 201 934-9206
http://www.HM-Software.com/
|
| |
| | | Time Traveler
Group: Forum Members
Last Login: 6/26/2008 10:36:51 AM
Posts: 143, Visits: 119 |
| | Okay, it's now confirmed. The Dictionary Attack feature in V10 is totally broken. Through systematic testing (turning off all features, and then turning on ONE at a time) I found (and reported to IPswitch as bug) that these settings: Max Invalid Recipients Per Session: 3
Soft Error Limits: 0
Hard Error Limit: 0
Minutes To Deny Access: 5
Error Delay Seconds: 10 Auto-Deny Hack Attempts: On a) will disconnect after 3 bad recipients (that's the ONLY thing that works)
b) will NOT add the IP address to the "deny access" list
c) I can't confirm that the 10 second delay works, because IPswitch has yet to figure out how to add seconds to the LOG files. I have a few pages full of log entries per minute... IF you turn on "Soft Error Limits", and set it to any value (let's say 5), then it: a) will report log a different error after the FIRST bad recipient
b) will immediately add the IP address to the PERMANENT deny list
c) will NOT remove the IP address after 5 minutes (or ANY amount of time)
d) will do that EVEN if you configure minutes to "0". The net effect is, that anyone who EVER sends email to ONE bad email address is banned from your server forever - which does a nice job in reducing your mail volume to next to nothing VERY quickly. Basically - with Version 10, IMail is fully vulnerable to dictionary attacks because it's key defense (a controlled, time-limited block of suspect IP addresses) is NO LONGER FUNCTIONAL. Although they originally kept claiming that they couldn't reproduce it with my settings, I finally peppered them with enough log files that they are now acknowledging the situation and working on fixing this. THEY are recommending that in the meantime we should all run WITHOUT dictionary attack defenses being turned on! Best Regards,
Andy
Best Regards,
Andy Schmidt |
| |
|
|