Mailing List CGatePro@mail.stalker.com Message #105722
From: Shaun Gamble <listrdr@redco.com.au>
Subject: Re: IP blocking
Date: Fri, 17 Jul 2015 15:11:58 +1000
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Thanks Brian. I'm now utilising Niversoft's script. Unfortunately, it appears this script only adds the IP to the BlackListed IP list. Adding it to the temporary denied list is what I am after. This is getting me closer, so thank you.

On 16/07/2015 10:22 PM, Brian Turnbow wrote:
HI  Shaun,

Null routed addresses do not constitute an error (afaik) so are not counted
You can setup a route record to spamtrap
<littleannie@mydomain> = spamtrap

That will make it trigger

There is also a script from niversoft that sorts logs and blacklists dictionary attack IPs that could help

Regards

Brian


Brian Turnbow
Network Manager
TWT S.p.A.

-----Original Message-----
From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On
Behalf Of Shaun Gamble
Sent: giovedì 16 luglio 2015 04:04
To: CommuniGate Pro Discussions
Subject: IP blocking

CGP 6.1.2 x64  Windows 2012

Block after 5 failed logins in 5 minutes
                      5 protocol errors in 10 minutes

Blocking time 2 hours
Blocked Address Limits 30000

Why is this IP not being blocked? I have had dictionary attacks through SMTP,
POP and SIP for the last week. Either I have a setting incorrect somewhere or
CGP is not doing its job. This IP kept up this attack for
10 minutes. The originator was switching IPs it was using every 10 minutes. So
entering the IP manually into the denied IP address is too late and a waste of
time. It needs to occur when the attack is occurring. The blocking time can be
increased if they use the same IP again.

Below is a very small sample from the log.

20:24:00.938 1 POP-232729([122.155.16.155]:53698) failed to open
ACCOUNT(littleannie) for [122.155.16.155]:53698->[myip]:110. Error
Code=account is routed to NULL
20:24:01.605 1 POP-232730([122.155.16.155]:54214) failed to open
ACCOUNT(littleannie) for [122.155.16.155]:54214->[myip]:110. Error
Code=account is routed to NULL
20:24:02.280 1 POP-232731([122.155.16.155]:54307) failed to open
ACCOUNT(littleannie) for [122.155.16.155]:54307->[myip]:110. Error
Code=account is routed to NULL
20:24:02.965 1 POP-232732([122.155.16.155]:54409) failed to open
ACCOUNT(littleannie) for [122.155.16.155]:54409->[myip]:110. Error
Code=account is routed to NULL
20:24:03.685 1 POP-232733([122.155.16.155]:54499) failed to open
ACCOUNT(littleannie) for [122.155.16.155]:54499->[myip]:110. Error
Code=account is routed to NULL
20:24:04.448 1 POP-232734([122.155.16.155]:54604) failed to open
ACCOUNT(littleannie) for [122.155.16.155]:54604->[myip]:110. Error
Code=account is routed to NULL
20:24:05.206 1 POP-232735([122.155.16.155]:54720) failed to open
ACCOUNT(littleannie) for [122.155.16.155]:54720->[myip]:110. Error
Code=account is routed to NULL
20:24:05.917 1 POP-232736([122.155.16.155]:54844) failed to open
ACCOUNT(liu) for [122.155.16.155]:54844->[myip]:110. Error Code=account is
routed to NULL
20:24:06.639 1 POP-232737([122.155.16.155]:54960) failed to open
ACCOUNT(liu) for [122.155.16.155]:54960->[myip]:110. Error Code=account is
routed to NULL
20:24:07.366 1 POP-232738([122.155.16.155]:55058) failed to open
ACCOUNT(liu) for [122.155.16.155]:55058->[myip]:110. Error Code=account is
routed to NULL
20:24:08.087 1 POP-232739([122.155.16.155]:55160) failed to open
ACCOUNT(liu) for [122.155.16.155]:55160->[myip]:110. Error Code=account is
routed to NULL
20:24:08.824 1 POP-232740([122.155.16.155]:55276) failed to open
ACCOUNT(liu) for [122.155.16.155]:55276->[myip]:110. Error Code=account is
routed to NULL
20:24:09.502 1 POP-232741([122.155.16.155]:55375) failed to open
ACCOUNT(liu) for [122.155.16.155]:55375->[myip]:110. Error Code=account is
routed to NULL

The above IP does not ever get blocked.

When the attack finds a legit email address and tries to use the password to
authenticate, then the IP blocking occurs (different IP address as it had
switched, very small portion of the log which occurs for about 10 minutes):

23:30:12.656 1 POP-238481([159.226.89.27]:40626) failed to open
ACCOUNT(mail) for [159.226.89.27]:40626->[myip]:110. Error Code=account
is routed to NULL
23:30:13.985 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:41212
failed. Error Code=incorrect password
23:30:22.695 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:42318
failed. Error Code=incorrect password
23:30:31.377 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:43885
failed. Error Code=incorrect password
23:30:40.054 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:45466
failed. Error Code=incorrect password
23:30:43.519 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:46196
failed. Error Code=incorrect password
23:30:48.860 1 POP-238539([159.226.89.27]:46196) [159.226.89.27]
temporarily blocked on login failure

Yay but 10 minutes too late and the attacker now knows a legit email address
to try. It shouldn't be able to get to this stage. What am I missing??

Another question which may be a better solution, I do not require POP access
from IPs other than client IPs. So how do I block POP connections from non-
client IPs?

--

Shaun
Fitzroy Island <http://www.fitzroyisland.com> Destination Darwin NT
<http://www.destinationnt.com> MOM Backpackers
<http://www.momdarwin.com> Value Inn Hotel
<http://www.valueinn.com.au> Please do not send any unsolicited email. It is
not wanted.


#############################################################
This message is sent to you because you are subscribed to
   the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch to the
DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>
#############################################################
This message is sent to you because you are subscribed to
   the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>

--

Shaun
Fitzroy Island <http://www.fitzroyisland.com>
Destination Darwin NT <http://www.destinationnt.com>
MOM Backpackers <http://www.momdarwin.com>
Value Inn Hotel <http://www.valueinn.com.au>
Please do not send any unsolicited email. It is not wanted.

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster