Facebook
Twitterblackcapsteve
New Pleskian
Hi
One of my customers had an email address hacked. This resulted in my external SMTP provider suspending their account after 2,000 (good..) and 6,000 left in my outgoing queue.
The SMTP guys sent an email, and I immediately suspended all mail activity on the customer, and cleared the out queue. I then deleted the email address, and then rebuilt it. All of the customers email addresses were then provided with ultra complex passwords.
I also invoked the 'only allowed to send x emails / hour' portion of the mail system. I tested this, and it works great. Now my system will stop the hack, report to me, long before the SMTP suspends me.
I decided (during the time when the email address was deleted) to examine in detail the mail log. Sure enough - there were hundreds/thousands of attempts to login and send using the email address.
I started to externally analyse my mail log (using self written software) and came up with the IP's which were the main culprits, plus stats as to how many times they had tried to send mail through my server. The very bad boys were in the high hundreds.. so I entered them immediately into a STOP-IP rule.
Each night I process the days mail log and anyone over 10 attempts gets blocked (this is purely because of the reason below) - On day one I had 80 over 10 - now its usually 2
Its working - every day the hits on my mailserver are reducing. I know its retrospective.. I know that the bad boys will just use an IP address I haven't logged yet.. but its making me feel I am doing something. I even found one IP which was a working website - I sent an email with a pdf log of the 181 attempts and it stopped (immediately).
Heres my question - I am having to add each IP address ONE AT A TIME. This is the bottleneck in my system. I am cutting and pasting from my To Be Blocked List.. but its a chore.
Is there a way of loading multiple IP addresses into my Firewall
regards
Blackcapsteve
One of my customers had an email address hacked. This resulted in my external SMTP provider suspending their account after 2,000 (good..) and 6,000 left in my outgoing queue.
The SMTP guys sent an email, and I immediately suspended all mail activity on the customer, and cleared the out queue. I then deleted the email address, and then rebuilt it. All of the customers email addresses were then provided with ultra complex passwords.
I also invoked the 'only allowed to send x emails / hour' portion of the mail system. I tested this, and it works great. Now my system will stop the hack, report to me, long before the SMTP suspends me.
I decided (during the time when the email address was deleted) to examine in detail the mail log. Sure enough - there were hundreds/thousands of attempts to login and send using the email address.
I started to externally analyse my mail log (using self written software) and came up with the IP's which were the main culprits, plus stats as to how many times they had tried to send mail through my server. The very bad boys were in the high hundreds.. so I entered them immediately into a STOP-IP rule.
Each night I process the days mail log and anyone over 10 attempts gets blocked (this is purely because of the reason below) - On day one I had 80 over 10 - now its usually 2
Its working - every day the hits on my mailserver are reducing. I know its retrospective.. I know that the bad boys will just use an IP address I haven't logged yet.. but its making me feel I am doing something. I even found one IP which was a working website - I sent an email with a pdf log of the 181 attempts and it stopped (immediately).
Heres my question - I am having to add each IP address ONE AT A TIME. This is the bottleneck in my system. I am cutting and pasting from my To Be Blocked List.. but its a chore.
Is there a way of loading multiple IP addresses into my Firewall
regards
Blackcapsteve
