Auto-ban - Fraudsters blocked

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
VadaDosaIdly
New user
New user
Posts: 20
Joined: 2020-05-26 16:03

Auto-ban - Fraudsters blocked

Post by VadaDosaIdly » 2020-07-08 23:09

Hello,

I have Auto-ban set up on the hMailServer. It is working great. :)

My server detected and blocked over 25 different fraudulent attempts from various IP addresses in almost 30 days period. Fraudsters were trying to use my mail server to send emails :evil: with domain accounts that do NOT exists on the server. I regularly look into the auto-ban list and uncheck the expiry date on the banned record. This way I make sure IP addresses are blocked permanently from future attempts.

Am I missing anything here :?: Please suggest.

User avatar
johang
Senior user
Senior user
Posts: 291
Joined: 2008-09-01 09:20

Re: Auto-ban - Fraudsters blocked

Post by johang » 2020-07-09 11:37

VadaDosaIdly wrote:
2020-07-08 23:09
Hello,

I have Auto-ban set up on the hMailServer. It is working great. :)

My server detected and blocked over 25 different fraudulent attempts from various IP addresses in almost 30 days period. Fraudsters were trying to use my mail server to send emails :evil: with domain accounts that do NOT exists on the server. I regularly look into the auto-ban list and uncheck the expiry date on the banned record. This way I make sure IP addresses are blocked permanently from future attempts.

Am I missing anything here :?: Please suggest.
set the ban time for 1 year.. 2 years .. 3 years set 10 .. ? ( i have mine set for 1 year )

sometimes i go in and scroll the ipadresses .... and change some of them to .. C-nets .. or bigger span depending on what is registered witp RIPE/ARIN/APNIC/AFRINIC ..

25 is not much .... when over 500 start thinking about "upping" the game and put the fraudelent IPs into the windows firewall
___________________________________________________________end of the line
spam filter appliance gateway: www.mailcleaner.org

User avatar
RvdH
Senior user
Senior user
Posts: 1089
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Auto-ban - Fraudsters blocked

Post by RvdH » 2020-07-09 11:49

johang wrote:
2020-07-09 11:37
VadaDosaIdly wrote:
2020-07-08 23:09
Hello,

I have Auto-ban set up on the hMailServer. It is working great. :)

My server detected and blocked over 25 different fraudulent attempts from various IP addresses in almost 30 days period. Fraudsters were trying to use my mail server to send emails :evil: with domain accounts that do NOT exists on the server. I regularly look into the auto-ban list and uncheck the expiry date on the banned record. This way I make sure IP addresses are blocked permanently from future attempts.

Am I missing anything here :?: Please suggest.
set the ban time for 1 year.. 2 years .. 3 years set 10 .. ? ( i have mine set for 1 year )

sometimes i go in and scroll the ipadresses .... and change some of them to .. C-nets .. or bigger span depending on what is registered witp RIPE/ARIN/APNIC/AFRINIC ..

25 is not much .... when over 500 start thinking about "upping" the game and put the fraudelent IPs into the windows firewall
The more auto-ban entries u have, the slower hmailserver gets....why bother to set it to one year or more when next time the same address tries to login again it is automatically banned again?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
johang
Senior user
Senior user
Posts: 291
Joined: 2008-09-01 09:20

Re: Auto-ban - Fraudsters blocked

Post by johang » 2020-07-09 12:29

RvdH wrote:
2020-07-09 11:49
johang wrote:
2020-07-09 11:37
VadaDosaIdly wrote:
2020-07-08 23:09
Hello,

I have Auto-ban set up on the hMailServer. It is working great. :)

My server detected and blocked over 25 different fraudulent attempts from various IP addresses in almost 30 days period. Fraudsters were trying to use my mail server to send emails :evil: with domain accounts that do NOT exists on the server. I regularly look into the auto-ban list and uncheck the expiry date on the banned record. This way I make sure IP addresses are blocked permanently from future attempts.

Am I missing anything here :?: Please suggest.
set the ban time for 1 year.. 2 years .. 3 years set 10 .. ? ( i have mine set for 1 year )

sometimes i go in and scroll the ipadresses .... and change some of them to .. C-nets .. or bigger span depending on what is registered witp RIPE/ARIN/APNIC/AFRINIC ..

25 is not much .... when over 500 start thinking about "upping" the game and put the fraudelent IPs into the windows firewall
The more auto-ban entries u have, the slower hmailserver gets....why bother to set it to one year or more when next time the same address tries to login again it is automatically banned again?
i am not sure what you recommendations are ..
i will trade cpu cycles for security ...
when hmailserver is getting slow i will move "load" to the windows firewall.. if computer firewall is working to hard i will offload it by stopping unwanted ip-traffic further out in the network

@RVHD you are arguing that it is better to set autoban to .. (what setting) due to load perspective ? or keep under how many autoban entries ? or put them in firewall directly ?
Last edited by johang on 2020-07-09 12:38, edited 1 time in total.
___________________________________________________________end of the line
spam filter appliance gateway: www.mailcleaner.org

User avatar
jim.bus
Senior user
Senior user
Posts: 425
Joined: 2011-05-28 11:49
Location: US

Re: Auto-ban - Fraudsters blocked

Post by jim.bus » 2020-07-09 12:37

This is funny.

Until recently I didn't have any Autobans for many many months and then recently I started out with a couple which after a long while grew to about 14 and then shrunk to 13 as Autobans started expiring. At the moment I seem stable at 13 Autobans.

I too set my Autoban Expiration at a large value.

User avatar
RvdH
Senior user
Senior user
Posts: 1089
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Auto-ban - Fraudsters blocked

Post by RvdH » 2020-07-09 13:08

Nowadays my auto-ban entries are no longer then 24h....don't get me wrong i also used to ban them way longer in the past, but in the end of the day it doesn't matter, as the abusive IP addresses are simply automatically banned again if they visit again after the previous auto-ban is expired

It is a bit about finding the perfect trade-off, performance vs security
Some people here tend to ban abusive IP's indefinitely, but i still believe something that was a abusive ip in the past can be a non-abusive ip in (near) future, not to forget the ip's that might be added to auto-ban accidentally (faulty configured server for example, those can fix things later)
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
johang
Senior user
Senior user
Posts: 291
Joined: 2008-09-01 09:20

Re: Auto-ban - Fraudsters blocked

Post by johang » 2020-07-09 13:25

RvdH wrote:
2020-07-09 13:08
Nowadays my auto-ban entries are no longer then 24h....don't get me wrong i also used to ban them way longer in the past, but in the end of the day it doesn't matter, as the abusive IP addresses are simply automatically banned again if they visit again after the previous auto-ban is expired

It is a bit about finding the perfect trade-off, performance vs security
Some people here tend to ban abusive IP's indefinitely, but i still believe something that was a abusive ip in the past can be a non-abusive ip in (near) future, not to forget the ip's that might be added to auto-ban accidentally (faulty configured server for example, those can fix things later)
@RvdH i get your point
i have around 100 fraudulent IPs asking 1 time per 24 hours .... ( cleraly those bots are set up to avoid autobans, they usually ask from same subnet from other IPs during same 24 hours which also makes me guess it is not a bot .. but rather a bot-net working from a single databse, i really do dislike it.. )
___________________________________________________________end of the line
spam filter appliance gateway: www.mailcleaner.org

User avatar
jim.bus
Senior user
Senior user
Posts: 425
Joined: 2011-05-28 11:49
Location: US

Re: Auto-ban - Fraudsters blocked

Post by jim.bus » 2020-07-09 23:25

johang wrote:
2020-07-09 13:25
RvdH wrote:
2020-07-09 13:08
Nowadays my auto-ban entries are no longer then 24h....don't get me wrong i also used to ban them way longer in the past, but in the end of the day it doesn't matter, as the abusive IP addresses are simply automatically banned again if they visit again after the previous auto-ban is expired

It is a bit about finding the perfect trade-off, performance vs security
Some people here tend to ban abusive IP's indefinitely, but i still believe something that was a abusive ip in the past can be a non-abusive ip in (near) future, not to forget the ip's that might be added to auto-ban accidentally (faulty configured server for example, those can fix things later)
@RvdH i get your point
i have around 100 fraudulent IPs asking 1 time per 24 hours .... ( cleraly those bots are set up to avoid autobans, they usually ask from same subnet from other IPs during same 24 hours which also makes me guess it is not a bot .. but rather a bot-net working from a single databse, i really do dislike it.. )
Which is why I have a somewhat lengthy Autoban expiration but it is not as long as the lengthy expiration dates indicated in this thread. Hopefully, it is long enough to deter those trying to avoid my Autoban function.

palinka
Senior user
Senior user
Posts: 2012
Joined: 2017-09-12 17:57

Re: Auto-ban - Fraudsters blocked

Post by palinka » 2020-07-16 13:51

johang wrote:
2020-07-09 13:25

@RvdH i get your point
i have around 100 fraudulent IPs asking 1 time per 24 hours .... ( cleraly those bots are set up to avoid autobans, they usually ask from same subnet from other IPs during same 24 hours which also makes me guess it is not a bot .. but rather a bot-net working from a single databse, i really do dislike it.. )
My experience with my firewall ban project is that about 60% of bot traffic never returns.

I permanently firewall ban everything suspicious. The good thing is that parsing my firewall log gives me some good statistics, like the 60% info.

I don't mind banning permanently, because most of the bans are port 25 traffic. Most of that is infected corporate computers open to the internet. They're definitely not mail servers and extremely unlikely to ever be mail servers in the future.

And tomorrow is my firewall ban first birthday! 33k IPs banned and 1.3 million connections dropped. It's been a spectacular success by my (initially low) expectations. :mrgreen:

However, the real key to success is choosing criteria to ban, which is critical whether you're firewall banning, autobanning, simply disconnecting or whatever you decide is the best way. I have several different strategies for that and scripts from Soren and RvdH have been unbelievably helpful in blocking spammers.

Post Reply