Field

Description

Process SMTP

Enables the feature for SMTP.

Process POP3/IMAP

Enables the feature for POP3/IMAP. Supported options are limited to ones included in the General section.

The "B' for Bypass button

Click here to edit the standard Bypass file.
If the session is authenticated or comes from trusted IP, it is automatically bypassed even if bypass file is empty.

NOTE: Several of the conditions are evaluated in early stadium of the SMTP session, when not enough information about the session is present.

E.g.: the condition Local Sender can not bypass Block IP address that exceeded number of failed login attempts, because a sender is not known when authentication is done.

Block IP address that establishes number of connections in 1 minute

Check this option and specify a value.

In the above example an IP address that establishes 86 connections in one minute will be automatically blocked.

Block IP address that exceeded number of failed login attempts

IP address will be added to blocked list after unsuccessful login attempt which exceeds the number of failed attempts specified.

Field

Description

Block IP address that exceeds unknown user delivery count

Check this option and specify a value.

When activated the server will monitor all suspicious activities. If the number of activities from one server exceeds the threshold setting then that IP address will be blocked (denied access) for a specified amount of time.

In the above screenshot an address will be blocked after it attempts to deliver 5 messages to unknown users.

Block IP address that gets denied for relaying too often

Check this option to automatically block addresses that attempt to relay through IceWarp Server more than the number of times specified..

Block IP address that exceeds RSET session count

Check this option and specify a value.

In the above example any connection that issues 5 RSET commands in one session will be blocked.

Block IP address that exceeds message spam score

Check this option and specify a value.

In the above example any IP address that delivers a message with a spam score higher than 8.5 will be automatically blocked

Block IP address that gets listed on DNSBL

Check this option and any connection that is refused because it is on a DNSBL will also be blocked.

Block IP address that exceeds message size

Check this option to have the IP address blocked for any connection that attempts to deliver a message greater than the specified size.

Specify a value and choose Kilobytes, Megabytes or Gigabytes from the drop-down box.

NOTE: This check differs from the standard SMTP "maximum message size" check in that the connection is closed as soon as the size threshold is reached and the IP address blocked. This is useful for stopping potential bandwidth abusers who send large messages.

For example with the settings shown above, someone sends a 1GB message to one of your users. As soon as the system has received the first 100MB it will close the connection and block the IP address for 4 hours. The sending SMTP server may try to re-send the message but it will be denied access until the 4 hours is up, at which point the first 100MB will be accepted then the block happens again. Eventually the sending SMTP server will give up trying to send the message.

The effect on your server is that instead of having a high bandwidth usage for a 1GB duration it will have high bandwidth usage every 4 hours for a 100MB duration until the sending server gives up, freeing your bandwidth for other send/receive operations in the meantime.

Field

Description

Amount of time for IP address to be blocked

Specify here how many minutes an IP address should be blocked for.

Refuse blocked IP address

Checking this option will store the blocked IP in a database and refuse any further connection attempts.

NOTE: It is meaningful (and recommended) to have ticked at least one of following options: Refuse blocked IP address, Close blocked connection.

Close blocked connection

Check this option if you want to have closed immediately all intrusive connections from an IP address that has just been blocked. Other current connections from this IP are not closed.

All connections just incoming from this IP address are blocked for the time specified in the Amount of time ... field.

Cross session processing

Check this option to have IceWarp Server collect Intrusion Prevention stats across multiple sessions (connections) from the same server. Stats are accumulated over the time selected in "Amount of time for IP address to be blocked". In the above example connections from HostA would be collected and acted upon for 30 minutes.

There are some cases where using of this option is senseless. E. g. Block IP address that exceeds message spam score, Block IP address that gets listed on DNSBL, Block IP address that exceeds message size. Contrary, the Block IP address that establishes number of connections in 1 minute option performs Cross session processing automatically.

Blocked IPs

Press this button to jump to the Intrusion Prevention queue, where you can manage your Blocked IP addresses.

Reason Code

Explanation

C

Tarpitting invoked via Content Filters

I

IP blocked for exceeding connections in one minute

M

IP blocked for delivering oversized message

R

IP blocked for exceeding RSET command count

D

IP blocked for being listed on DNSBL

A

The account that this message was sent to was a "tarpit" account so the sending IP is tarpitted

P

IP block for exceeding unknown User delivery count

Y

IP blocked for Relaying

S

IP blocked for exceeding Spam score in a message

U

Ip blocked Manually via Console

L

IP blocked for too many failed login attempts