Country Authentication Restrictions
Country Authentication Restrictions
It seems that the Country Authentication Restrictions isn't working for me. One of the countries I have blocked, The Russian Federation keeps attempting to brute force my server. I checked whatismyipaddress.com as well as MaxMind and they both say the same thing that the attacks are coming from the Russian Federation which I have blocked I have seen repeated attempts in the MailEnable message center.
Any help would be appreciated.
Thank you
Image from MagicSpam
Image from whatismyipaddress.com
Image from abuseipdb.com
Any help would be appreciated.
Thank you
Image from MagicSpam
Image from whatismyipaddress.com
Image from abuseipdb.com
Re: Country Authentication Restrictions
Hello Jason,
Thank you for contacting us.
Currently the Authentication Restrictions are only checked after a successful authentication attempt which prevents compromised accounts from being abused to send outbound spam which may damage your server IP reputation. As such, brute-force attacks which do not successfully authenticate into the email account are not handled yet.
The good news is that the next release of MagicSpam will allow the authentication restrictions to be checked before the authentication attempt is made such that bad actors will no longer be able to perform brute-force attacks. The next release is slated to come out in the next month or two.
Don't hesitate to let us know if you have anymore questions or feedback.
Thank you for contacting us.
Currently the Authentication Restrictions are only checked after a successful authentication attempt which prevents compromised accounts from being abused to send outbound spam which may damage your server IP reputation. As such, brute-force attacks which do not successfully authenticate into the email account are not handled yet.
The good news is that the next release of MagicSpam will allow the authentication restrictions to be checked before the authentication attempt is made such that bad actors will no longer be able to perform brute-force attacks. The next release is slated to come out in the next month or two.
Don't hesitate to let us know if you have anymore questions or feedback.
-- MagicSpam Support Team --
Re: Country Authentication Restrictions
Thank you for the update, we had an issue last Saturday where an email account was breached by a brute force attack, I am not sure where it came from but I have been banning IPs left and right. I have 60 IPs in my IP Blocklist as of right now and it will be longer by the end of the day. I have been manually editing the blocked_ips file and created a batch file to restart the MagicSpam services, it gets a little mundane to add each IP one at a time and I am not sure I want to start banning netblocks just yet. Do you think it is better to just start banning the netblocks?
I have been pulling the data from the Messages.xml file from MailEnable and convert it to CSV and pull just the IPs I then sort them and then run a plug-in that I added to LibreOffice Sheets to remove duplicates then I run the parsed IPs over Bulk Domain Blacklist Checker and find that all of them are on one of Spamhaus's lists. Then I add the IPs to the current list in the blocked_ips file and do the same as above to make sure there are no duplicates.
Also, would it just be better to create a rule in MailEnable to run before the MTA that blocks those IPs?
What are your thoughts because I am trying to offload most of the cycles from MailEnable to MagicSpam?
Thank you,
Jason
I have been pulling the data from the Messages.xml file from MailEnable and convert it to CSV and pull just the IPs I then sort them and then run a plug-in that I added to LibreOffice Sheets to remove duplicates then I run the parsed IPs over Bulk Domain Blacklist Checker and find that all of them are on one of Spamhaus's lists. Then I add the IPs to the current list in the blocked_ips file and do the same as above to make sure there are no duplicates.
Also, would it just be better to create a rule in MailEnable to run before the MTA that blocks those IPs?
What are your thoughts because I am trying to offload most of the cycles from MailEnable to MagicSpam?
Thank you,
Jason
Re: Country Authentication Restrictions
Hey Jason,
Just to clarify that the volume of inbound spam to your server increased significantly after an email account was breached and you have been adding IPs to the MagicSpam Sender IP Blacklist (blocked_ips) to deal with it. Did we understand you correctly?
Firstly we want to make sure that you have changed the password of the breached email account to prevent further abuse. Additionally, you may want to review whether there are more mailboxes with weak passwords on your system by using the MailEnable Enforce password policy -- Check existing passwords feature.
You can definitely start banning netblocks but we would recommend to first perform a preliminary check with the MagicSpam logs to see whether legitimate email has came from them in the past. Navigate to the MagicSpam Logs page, set the IP Address filter to the netblock (e.g. 1.1.*) and perform a log search. Note that you can only add /16s in MagicSpam (e.g. 1.1.0.0 - 1.1.255.255) currently and they must be added through the MagicSpam interface.
We are not certain about what you mean by 'create a rule in MailEnable to run before the MTA' but MagicSpam already runs directly in the SMTP connector way before the MTA connector. If you can provide us with more information, we may be better able to provide you with an answer on this matter.
Also note that you do not have to restart the MagicSpam service every time you update the block_ips file.
Thanks!
Just to clarify that the volume of inbound spam to your server increased significantly after an email account was breached and you have been adding IPs to the MagicSpam Sender IP Blacklist (blocked_ips) to deal with it. Did we understand you correctly?
Firstly we want to make sure that you have changed the password of the breached email account to prevent further abuse. Additionally, you may want to review whether there are more mailboxes with weak passwords on your system by using the MailEnable Enforce password policy -- Check existing passwords feature.
You can definitely start banning netblocks but we would recommend to first perform a preliminary check with the MagicSpam logs to see whether legitimate email has came from them in the past. Navigate to the MagicSpam Logs page, set the IP Address filter to the netblock (e.g. 1.1.*) and perform a log search. Note that you can only add /16s in MagicSpam (e.g. 1.1.0.0 - 1.1.255.255) currently and they must be added through the MagicSpam interface.
We are not certain about what you mean by 'create a rule in MailEnable to run before the MTA' but MagicSpam already runs directly in the SMTP connector way before the MTA connector. If you can provide us with more information, we may be better able to provide you with an answer on this matter.
Also note that you do not have to restart the MagicSpam service every time you update the block_ips file.
Thanks!
-- MagicSpam Support Team --
Re: Country Authentication Restrictions
Hello,
The inbound spam has been pretty bad as of late (especially brute force attacks), even before the breach, but since the breach, it seems to be worse. It seems like most of it is coming from China, Russia, Bulgaria, and the Czech Republic, that is why I was using the Country Authentication Restrictions, but they didn't seem to work for what I wanted it to.
I have since created 4 rules in MailEnable, one for each country and we have seen a significant drop in spam so I decided to check the logs and I am seeing a lot of SMTP denials so I decided to check the IPs locations and they are coming from those countries.
I am adding IPs mainly for spam-sending servers and compromised servers/networks here in the United States and that has really helped as well.
After I was made aware of the breach I shut down the SMTP connector and locked the email account. Then I cleared out the SMTP queues, there was over 25,000 emails waiting to go out and 45,000 that were already sent, our sender score went from 80+ to 13. I had the user come up with a complex password which I tested for strength and cut the SMTP connector back on. I have been monitoring the account for a few days and everything seems to be good, just have to get the sender score back up.
I may have misstated, I have setup rules in MailEnable's filter section that filters out IPs that come from the above-listed countries, we don't do any business in those countries so we are not worried about it, also in the properties of the SMTP connector I have added IPs to the Inbound Access Control and again I have been checking the logs and in combination with MagicSpam we are receiving very little spam and the brute force attacks are very few now. The brute force attacks were anywhere between 10 to 20 hits per IP and as up to as many as 15 IPs per day.
I will continue to keep an eye on both MagicSpam's logs as well as MailEnable's for anything strange.
Thank you for letting me know that I don't have to restart the services for the blocked_ips file to reload, it's good to know that it loads live like the MailEnable Access Control.
Thank you for all your help
Jason
The inbound spam has been pretty bad as of late (especially brute force attacks), even before the breach, but since the breach, it seems to be worse. It seems like most of it is coming from China, Russia, Bulgaria, and the Czech Republic, that is why I was using the Country Authentication Restrictions, but they didn't seem to work for what I wanted it to.
I have since created 4 rules in MailEnable, one for each country and we have seen a significant drop in spam so I decided to check the logs and I am seeing a lot of SMTP denials so I decided to check the IPs locations and they are coming from those countries.
I am adding IPs mainly for spam-sending servers and compromised servers/networks here in the United States and that has really helped as well.
After I was made aware of the breach I shut down the SMTP connector and locked the email account. Then I cleared out the SMTP queues, there was over 25,000 emails waiting to go out and 45,000 that were already sent, our sender score went from 80+ to 13. I had the user come up with a complex password which I tested for strength and cut the SMTP connector back on. I have been monitoring the account for a few days and everything seems to be good, just have to get the sender score back up.
I may have misstated, I have setup rules in MailEnable's filter section that filters out IPs that come from the above-listed countries, we don't do any business in those countries so we are not worried about it, also in the properties of the SMTP connector I have added IPs to the Inbound Access Control and again I have been checking the logs and in combination with MagicSpam we are receiving very little spam and the brute force attacks are very few now. The brute force attacks were anywhere between 10 to 20 hits per IP and as up to as many as 15 IPs per day.
I will continue to keep an eye on both MagicSpam's logs as well as MailEnable's for anything strange.
Thank you for letting me know that I don't have to restart the services for the blocked_ips file to reload, it's good to know that it loads live like the MailEnable Access Control.
Thank you for all your help
Jason
Re: Country Authentication Restrictions
Hey Jason,
Thank you for the additional information.
If the inbound spam from those countries (China, Russia, Bulgaria, Czech Republic) are bad, then you will want to consider adding them to the Sender Country Blacklist especially when your user base never expects to receive any emails from there. Also note that the Country Authentication Restrictions does not have any effect on incoming email and are only taken into consideration with outgoing emails.
In regards to the high volume of emails sent from your server, the MagicSpam Outbound Rate Limiter should have been triggered, especially if most of those emails were sent from the compromised email accounts. How have you configured the outbound rate limiter and how long did it take you to discover the compromise account?
Otherwise, it sounds like you have the situation under control now but don't hesitate to let us know if you have any other questions.
Thank you for the additional information.
If the inbound spam from those countries (China, Russia, Bulgaria, Czech Republic) are bad, then you will want to consider adding them to the Sender Country Blacklist especially when your user base never expects to receive any emails from there. Also note that the Country Authentication Restrictions does not have any effect on incoming email and are only taken into consideration with outgoing emails.
In regards to the high volume of emails sent from your server, the MagicSpam Outbound Rate Limiter should have been triggered, especially if most of those emails were sent from the compromised email accounts. How have you configured the outbound rate limiter and how long did it take you to discover the compromise account?
Otherwise, it sounds like you have the situation under control now but don't hesitate to let us know if you have any other questions.
-- MagicSpam Support Team --
Re: Country Authentication Restrictions
Hello,
I guess I was confused, having a rough couple of weeks. I have removed the 4 countries from the "Country Authentication Restrictions" and added them to the "Sender Country Blacklist" instead.
As for the rate limit, I just have the default settings. Do you have a "best settings/setup" for MagicSpam?
Thank you for all your help,
Jason
I guess I was confused, having a rough couple of weeks. I have removed the 4 countries from the "Country Authentication Restrictions" and added them to the "Sender Country Blacklist" instead.
As for the rate limit, I just have the default settings. Do you have a "best settings/setup" for MagicSpam?
Thank you for all your help,
Jason
Re: Country Authentication Restrictions
Hello JasonS,
Thank you for your post.
We are happy to hear that you have resolved the issue with Country Authentication Restrictions.
Our recommended Rate Limiter configuration is indeed what is already configured by default in MagicSpam. That said, as each server is different when it comes to spam or compromised accounts, you can adjust the amount of messages allowed in the 5 minute window for incoming/outgoing emails as per your needs.
To do so, please review your MagicSpam logs to see the rate of any senders you are finding an issue with and adjust the Rate Limiter settings accordingly.
We hope this information helps.
Please let us know if you have any questions.
Thank you for your post.
We are happy to hear that you have resolved the issue with Country Authentication Restrictions.
Our recommended Rate Limiter configuration is indeed what is already configured by default in MagicSpam. That said, as each server is different when it comes to spam or compromised accounts, you can adjust the amount of messages allowed in the 5 minute window for incoming/outgoing emails as per your needs.
To do so, please review your MagicSpam logs to see the rate of any senders you are finding an issue with and adjust the Rate Limiter settings accordingly.
We hope this information helps.
Please let us know if you have any questions.
-- MagicSpam Support Team --
Re: Country Authentication Restrictions
Thank you for all your help.
Jason
Jason
Re: Country Authentication Restrictions
Hello Jason,
You are very welcome! Feel free to let us know if you have any further questions.
You are very welcome! Feel free to let us know if you have any further questions.
-- MagicSpam Support Team --
Who is online
Users browsing this forum: No registered users and 3 guests