Mailing List CGatePro@mail.stalker.com Message #105720
From: Brian Turnbow <b.turnbow@twt.it>
Subject: RE: IP blocking
Date: Thu, 16 Jul 2015 14:22:00 +0200
To: 'CommuniGate Pro Discussions' <CGatePro@mail.stalker.com>
X-Mailer: E-box Connector 4.2.66-171
HI  Shaun,

Null routed addresses do not constitute an error (afaik) so are not counted
You can setup a route record to spamtrap  
<littleannie@mydomain> = spamtrap

That will make it trigger

There is also a script from niversoft that sorts logs and blacklists dictionary attack IPs that could help

Regards

Brian


Brian Turnbow
Network Manager
TWT S.p.A.

> -----Original Message-----
> From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On
> Behalf Of Shaun Gamble
> Sent: giovedì 16 luglio 2015 04:04
> To: CommuniGate Pro Discussions
> Subject: IP blocking
>
> CGP 6.1.2 x64  Windows 2012
>
> Block after 5 failed logins in 5 minutes
>                      5 protocol errors in 10 minutes
>
> Blocking time 2 hours
> Blocked Address Limits 30000
>
> Why is this IP not being blocked? I have had dictionary attacks through SMTP,
> POP and SIP for the last week. Either I have a setting incorrect somewhere or
> CGP is not doing its job. This IP kept up this attack for
> 10 minutes. The originator was switching IPs it was using every 10 minutes. So
> entering the IP manually into the denied IP address is too late and a waste of
> time. It needs to occur when the attack is occurring. The blocking time can be
> increased if they use the same IP again.
>
> Below is a very small sample from the log.
>
> 20:24:00.938 1 POP-232729([122.155.16.155]:53698) failed to open
> ACCOUNT(littleannie) for [122.155.16.155]:53698->[myip]:110. Error
> Code=account is routed to NULL
> 20:24:01.605 1 POP-232730([122.155.16.155]:54214) failed to open
> ACCOUNT(littleannie) for [122.155.16.155]:54214->[myip]:110. Error
> Code=account is routed to NULL
> 20:24:02.280 1 POP-232731([122.155.16.155]:54307) failed to open
> ACCOUNT(littleannie) for [122.155.16.155]:54307->[myip]:110. Error
> Code=account is routed to NULL
> 20:24:02.965 1 POP-232732([122.155.16.155]:54409) failed to open
> ACCOUNT(littleannie) for [122.155.16.155]:54409->[myip]:110. Error
> Code=account is routed to NULL
> 20:24:03.685 1 POP-232733([122.155.16.155]:54499) failed to open
> ACCOUNT(littleannie) for [122.155.16.155]:54499->[myip]:110. Error
> Code=account is routed to NULL
> 20:24:04.448 1 POP-232734([122.155.16.155]:54604) failed to open
> ACCOUNT(littleannie) for [122.155.16.155]:54604->[myip]:110. Error
> Code=account is routed to NULL
> 20:24:05.206 1 POP-232735([122.155.16.155]:54720) failed to open
> ACCOUNT(littleannie) for [122.155.16.155]:54720->[myip]:110. Error
> Code=account is routed to NULL
> 20:24:05.917 1 POP-232736([122.155.16.155]:54844) failed to open
> ACCOUNT(liu) for [122.155.16.155]:54844->[myip]:110. Error Code=account is
> routed to NULL
> 20:24:06.639 1 POP-232737([122.155.16.155]:54960) failed to open
> ACCOUNT(liu) for [122.155.16.155]:54960->[myip]:110. Error Code=account is
> routed to NULL
> 20:24:07.366 1 POP-232738([122.155.16.155]:55058) failed to open
> ACCOUNT(liu) for [122.155.16.155]:55058->[myip]:110. Error Code=account is
> routed to NULL
> 20:24:08.087 1 POP-232739([122.155.16.155]:55160) failed to open
> ACCOUNT(liu) for [122.155.16.155]:55160->[myip]:110. Error Code=account is
> routed to NULL
> 20:24:08.824 1 POP-232740([122.155.16.155]:55276) failed to open
> ACCOUNT(liu) for [122.155.16.155]:55276->[myip]:110. Error Code=account is
> routed to NULL
> 20:24:09.502 1 POP-232741([122.155.16.155]:55375) failed to open
> ACCOUNT(liu) for [122.155.16.155]:55375->[myip]:110. Error Code=account is
> routed to NULL
>
> The above IP does not ever get blocked.
>
> When the attack finds a legit email address and tries to use the password to
> authenticate, then the IP blocking occurs (different IP address as it had
> switched, very small portion of the log which occurs for about 10 minutes):
>
> 23:30:12.656 1 POP-238481([159.226.89.27]:40626) failed to open
> ACCOUNT(mail) for [159.226.89.27]:40626->[myip]:110. Error Code=account
> is routed to NULL
> 23:30:13.985 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:41212
> failed. Error Code=incorrect password
> 23:30:22.695 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:42318
> failed. Error Code=incorrect password
> 23:30:31.377 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:43885
> failed. Error Code=incorrect password
> 23:30:40.054 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:45466
> failed. Error Code=incorrect password
> 23:30:43.519 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:46196
> failed. Error Code=incorrect password
> 23:30:48.860 1 POP-238539([159.226.89.27]:46196) [159.226.89.27]
> temporarily blocked on login failure
>
> Yay but 10 minutes too late and the attacker now knows a legit email address
> to try. It shouldn't be able to get to this stage. What am I missing??
>
> Another question which may be a better solution, I do not require POP access
> from IPs other than client IPs. So how do I block POP connections from non-
> client IPs?
>
> --
>
> Shaun
> Fitzroy Island <http://www.fitzroyisland.com> Destination Darwin NT
> <http://www.destinationnt.com> MOM Backpackers
> <http://www.momdarwin.com> Value Inn Hotel
> <http://www.valueinn.com.au> Please do not send any unsolicited email. It is
> not wanted.
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <CGatePro@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch to the
> DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
> Send administrative queries to  <CGatePro-request@mail.stalker.com>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster