Show/Hide Toolbars

To get to this page, to to ServicesSMTP Server → IDS/IPS

smtp_idsips_zoom50

The IDS (Intrusion Detection System) & IPS (Intrusion Prevention System) options in VPOP3 let VPOP3 detect and prevent 'bad' computers from connecting to it.

Intrusion Detection

The IDS component is most useful if linked with some other software which can parse the logs and either generate useful reports or update firewall rules dynamically.

The IDS component will optionally log 'suspicious' behaviour to a specified file (IDS Log Filename). Third party software can monitor this log file and do what you want it to do. Note that VPOP3 will not manage the size of this log file in any way, so you should have some other means of controlling its size. Often the IDS log parser software can empty/rotate the log file for you or there are programs like LogRotateWin which you can configure to do that for you.

The IDS Log Line Format tells VPOP3 how to format the data lines it writes to the IDS Log File. You can configure this to match a format supported by your log file parsing software. You can use replacements to indicate variable text.

%T = UTC timestamp in ISO8601 format

%I = the SMTP client's IP address (as seen by VPOP3)

%e = the IDS event number

%E = the IDS event text description

%D = extra event data

You can use an Lua script to customise the line format further - eg if the timestamp needs to be in a different format

 

The IDS event numbers used by VPOP3 are:

0.SMTP authentication failure

1.Relay denied

2.Relay allowed (not bad in itself, but a large number may indicate an open relay or spambot, etc)

3.Bad local recipient

4.Good local recipient (not bad in itself, but a large number may indicate a spammer)

5.Message detected as spam

6.Message detected as containing a virus

7.SMTP Rule matched

8.Realtime DNS Blacklist match

9.SMTP Syntax error (commonly spam software is badly written, so these can happen if error handling is poor in the sending software)

10.Message is bigger than the maximum size limit specified in VPOP3

11.Message contained a filtered attachment

12.Message contained a partial attachment (these are often an indication of something trying to bypass virus scanners)

13.SPF Rejection

900.IP address blocked

 

Intrusion Prevention

The Intrusion Prevention component uses the Intrusion Detection data to automatically block IP addresses if VPOP3 detects suspicious activity from them. If this happens, the connecting computer will receive an error such as Server access temporarily blocked! Please try again later or Your connection has been blocked temporarily - try again later.

The Manage Block List button allows you to view blocked IP addresses and manually add or delete them. The Manage Never Block List button lets you add or delete IP addresses from a list of IP addresses to never block (eg trusted IP addresses).

 

When an incoming connection is initiated, the order of events is:

1.VPOP3 looks at the client IP address.

2.VPOP3 checks the Never Block List. If the IP address is there, the connection is allowed.

3.VPOP3 checks in the Block List. If the IP address is there, then the connection is blocked.

4.If the IP address was in the Block List, but the entry expired within the past Client Error Monitor Period time, then the IPS log total value is seeded with the Client Error Re-Block value. This means that a badly behaved client is more likely to be blocked again if it continues to misbehave.

5.VPOP3 checks the previous entries in the IPS event log over the past Client Error Monitor Period time. If the total of the entry values equals or exceeds the Client Error Block Threshold then the connection is added to the Block List with an expiry set to the Client Error Block Time in the future, and the connection is blocked.

If the connection is allowed, then VPOP3 will add entries to the IPS event log as they occur. These will not cause the connection to be added to the Block List immediately, but will only be checked at the next connection from the same IP address. This reduces computational load on the server, and means that isolated events from an IP address will not cause an entry to be added to the Block List which will then expire before it is used.

 

The various events which are logged are shown on the page as various 'multipliers'. Every time an event occurs within the Client Error Monitor Period, then the value of that 'multiplier' is added onto that IP address's “score”.

Notes:

Changing an event's “multiplier” will take effect retrospectively.

The Client Error Monitor Period should not be set for longer than 30 days, as events are purged from VPOP3's internal log after 30 days

You cannot turn off the IDS component of VPOP3. You can achieve the same effect by setting all the 'multipliers' to zero, or decreasing the Monitor Period to 1 minute and increasing the Block Threshold to an unreachable value.

Manage Block List

When a connection attempts to connect and has already logged events over the Block Threshold, then it will be added to the Block List. Addresses can also be added to the Block List manually.

Note that the Block List affects ALL VPOP3 services. It is also updated by the Security Settings in VPOP3, if someone repeatedly attempts to log in with bad details.

The Block List can be viewed to see which IP addresses are already in the block list, when they were added, and when they will expire. If you double-click on an entry, VPOP3 will show you why that address was added to the block list. You can delete entries from the block list.

You can manually add entries to the block list by entering the address and period that the address should be blocked, and pressing the Add button. The maximum time you can block an address for is 999,999,999 minutes (approximately 1900 years). The Address you specify can be an individual address, or a network range specified in CIDR format (eg 1.2.3.0/24)

Manage Never Block List

The Never Block List is used to tell VPOP3 never to block connections from the specified addresses. This can be useful for internal IP address ranges, or the IP addresses of partners or mail forwarding services.

Note that the Never Block List affects ALL VPOP3 services, and will also prevent the Security Settings options from blocking IP addresses.

The Never Block List can be viewed to see which IP addresses are already in the list and when they were added. You can delete entries from the block list by selecting them and pressing the Delete button.

You can manually add entries to the Never Block List by entering the address and pressing the Add button. If you add an entry to the Never Block List, then it will automatically be removed from the Block List if the address is currently blocked.

The Address you specify can be an individual address, or a network range specified in CIDR format (eg 192.168.0.0/16)

View Event Log

This lets you see the recent past events added to the IDS event log. Events are displayed here even if they have a zero 'multiplier' so will not prevent access to VPOP3.

If you think this help topic could be improved, please send us constructive feedback