Intrusion Prevention

Intrusion prevention (also known as tarpitting) allows you to block any IP address performing suspicious activities.

This option serves e.g.: as protection against spammers who are trying to spam your IceWarp Server accounts based on email address dictionary attacks or DoS (Denial of Service) ones.

Most of these rules do not affect authenticated users, except # of connections per minute and RSET (since authentication is lost when RSET command is sent).

There is an option to create a "bypass list" of IP addresses which will never be blocked.

Figure. Security level management: Intrusion Prevention tab.

General section

Field

Description

Process SMTP

Enables the feature for SMTP.

Process POP3/IMAP

Enables the feature for POP3/IMAP. Supported options are limited to ones included in the General section.

"B' (Bypass) button

Click the button to edit the standard Bypass file.
If the session is authenticated or comes from trusted IP, it is automatically bypassed even if bypass file is empty.

Note: Several of the conditions are evaluated in early stage of the SMTP session, when not enough information about the session is present.

e.g.:: The Local Sender condition can not bypass Block IP address that exceeded number of failed login attempts, because a sender is not known when authentication is done.

Block IP address that establishes number of connections in 1 minute

Check this option and specify a value.

In the above example an IP address that establishes 86 (or more) connections in one minute will be automatically blocked.

Block IP address that exceeded number of failed login attempts

IP address will be added to blocked list after unsuccessful login attempt which exceeds the number of failed attempts specified.

SMTP Specific rules section

Field

Description

Block IP address that exceeds unknown user delivery count

Check this option and specify a value.

When activated, the server will monitor all suspicious activities. If the number of activities from one server exceeds the threshold setting, this IP address will be blocked (denied access) for a specified amount of time.

In the above screenshot, an address will be blocked after it attempts to deliver 5 messages to unknown users.

Block IP address that gets denied for relaying too often

Check this option to automatically block addresses that attempt to relay through IceWarp Server more than the number of times specified.

Block IP address that exceeds RSET session count

Check this option and specify a value.

In the above example any connection that issues more than 5 RSET commands in one session will be blocked.

Block IP address that exceeds message spam score

Check this option and specify a value.

In the above example any IP address that delivers a message with a spam score higher than 5.5 will be automatically blocked.

Block IP address that gets listed on DNSBL

Check this option and any connection that is refused because it is on a DNSBL will also be blocked.

Block IP address that exceeds message size

Check this option to have the IP address blocked for any connection that attempts to deliver a message greater than the specified size.

Specify a value and choose Kilobytes, Megabytes or Gigabytes from the dropdown box.

Max number of parallel connections

If the number of connections coming from a particular IP address exceeds the limit set here, no more SMTP connections are accepted.

(This value is related to the MailServer.ParallelIPConnectionsLimit variable. Zero means no limit.)

Click the button to specify an IP address (or a range of IP addresses) where this limit is not applied.


Note: This check differs from the standard SMTP "maximum message size" check in that the connection is closed as soon as the size threshold is reached and the IP address blocked. This is useful for stopping potential bandwidth abusers who send large messages.

For example with the settings shown above, someone sends a 1GB message to one of your users. As soon as the system has received the first 100MB it will close the connection and block the IP address for 30 minutes. The sending SMTP server may try to re-send the message but it will be denied access until these 30 minutes are up, at which point the first 100MB will be accepted then the block happens again. Eventually the sending SMTP server will give up trying to send the message.

The effect on your server is that instead of having a high bandwidth usage for a 1GB duration it will have high bandwidth usage every 30 minutes for a 100MB duration until the sending server gives up, freeing your bandwidth for other send/receive operations in the meantime.

Action section

Field

Description

Amount of time for IP address to be blocked

Specify here how many minutes (hours, days) an IP address should be blocked for.

Refuse blocked IP address

Checking this option will store the blocked IP in a database and refuse any further connection attempts.

Note: It is meaningful (and recommended) to have checked at least one of following options: Refuse blocked IP address, Close blocked connection.

Close blocked connection

Check this option if you want to have closed immediately all intrusive connections from an IP address that has just been blocked. Other current connections from this IP are not closed.

All connections just incoming from this IP address are blocked for the time specified in the Amount of time ... field.

Close all other connections from the blocked IP immediately

Check this option if you want to have closed immediately all other intrusive connections from an IP address that has just been blocked.

Cross session processing

Check this option IceWarp Server to collect Intrusion Prevention stats across multiple sessions (connections) from the same server. Stats are accumulated over the time selected in Amount of time for IP address to be blocked. In the above example, connections from HostA would be collected and acted upon for 30 minutes.

There are some cases where using of this option is senseless. e.g.: Block IP address that exceeds message spam score, Block IP address that gets listed on DNSBL, Block IP address that exceeds message size. Contrary, the Block IP address that establishes number of connections in 1 minute option performs Cross session processing automatically.

Blocked IPs

Press this button to jump to the Intrusion Prevention queue, where you can manage blocked IP addresses.

Intrusion Prevention Reason Codes

Reason Code

Explanation

C

Tarpitting invoked via Content Filters

I

IP blocked for exceeding connections in one minute

M

IP blocked for delivering oversized message

R

IP blocked for exceeding RSET command count

D

IP blocked for being listed on DNSBL

A

The account that this message was sent to was a "tarpit" account so the sending IP is tarpitted

P

IP blocked for exceeding unknown user delivery count

Y

IP blocked for relaying

S

IP blocked for exceeding spam score in a message

U

IP blocked manually via IceWarp Server's console

L

IP blocked for too many failed login attempts