1) Is there an easy way to blacklist an IP address after for instance, 4 invalid login attempts?

2) a long, long time ago, I thought I heard mercury would have reverse DNS lookup. I don't see it in 4.90.

Thanks for a great product for my one user email server. I think I've been running somewhat problem free for over 20yrs.

Jerry

1) You don't say what sort of login attempts these are, but assuming they are authentication attempts in MercuryS: have you tried setting 'Simplified Phishing Protection' in the compliance tab?

2) Yes, that would be a useful addition, and I am also looking forward to seeing that

paul

I saw the phishing but it says it locks the account for 30 minutes. At that rate I would be locked all day unless there is an authorized way around the lock.

Yes, they are login/password phishing attempts.

I have been away from Mercury for awhile but I remember this as a lock per offending IP address. When you set this, keep it in mind when configuring devices for access. An error in credentials will trigger the 30 minute lockout.

I saw the phishing but it says it locks the account for 30 minutes. At that rate I would be locked all day unless there is an authorized way around the lock.

Are you using any blocklist checks such as Spamhaus?

Yes, I have several blacklist sites but get very, very few hits on spamhaus, barracuda, etc. I haven't seen an address rejected by those sites in quite a while.

I put any attempted failed auth attempts on an ACL blacklist, but that isn't very practical if you getting a lot from different IP addresses.

My best advice is to ensure all your usernames and passwords are long and obscure - that reduces the chances of them being broken by the usual automated login attempts.

Lastly, with regards to the temporary block, is there a way to lengthen it or even make the block permanent when triggered in the transaction filter? I looked in the ini file and didn't see anything.

I think my passwords are long enough and obscure, I also don't use them on any other site.

Thanks for the pointers. The block on the ehlo [127.0.0.1] had a very large impact on my problem.

Jerry

Lastly, with regards to the temporary block, is there a way to lengthen it or even make the block permanent when triggered in the transaction filter? I looked in the ini file and didn't see anything.

I think my passwords are long enough and obscure, I also don't use them on any other site.

Thanks for the pointers. The block on the ehlo [127.0.0.1] had a very large impact on my problem.

Jerry

The built-in blacklist isn't configurable, but you could try using my SmtpEvt daemon to get some more options. It can do automatic Spamhaus lookups as well if desired.

me again. One thing that was never cleared-up, simplified phishing? Does that lock the account completely or just for the offending IP address?

Example:

login CNCjerry badpass from 46.148.40.70
login CNCjerry badpass from 46.148.40.70
login CNCjerry badpass from 46.148.40.70
account locked or only locked from 46.148.40.70?

then immediately after account is locked:
login CNCjerry goodpass from 192.168.1.1 can this address login?

I've been getting hit by Iran on my two mail servers, only one is Mercury. There seems to be 5 servers in this botnet. They hit me about every 5 seconds, maybe more frequently. The log file hits 100meg in two months, for instance. So when I see it happening, and I don't check that often, i deny the entire botsubnet in an ACL on a 10Gig switch that feeds the server. Since September I've had to add about 15 addresses to the ACL, not a big hassle. When I add them everything settles down. By the way graywall really made a difference.

I can probably do this with an ACL, but is there a way to only allow logins to the mail server (authorized users) from a specific IP address range? For instance, my local subnet and then addresses on my cell network (if that is practical). If not, I think I'll figure out a way on my router.

Thanks, nothing but compliments from me. I've had so few issues for the past 21yrs, I think, I've used it.

Jerry