Community Discussions and Support
SmtpEvt daemon questions

A side affect of trying to understand the SmtpEvt daemon is that I now have a better understanding of the options in the MercuryS Compliance tab and of the potential value of transaction filtering as way to immediately blacklist an IP address that has been identified as repeated trying to gain access.  My "refuse" entries in Connection Control have been removed opting for transaction filtering rules instead. 

I've standardized the rules as per below with only the IP address changing but welcome suggestions on a better or more appropriate way of doing this. 

H, "*192.156.225.99*", BS, "554 Relaying not allowed - connection dropped" 

I'm anxious to see the effects of this change in conjunction with SmtpEvt.

<p>A side affect of trying to understand the SmtpEvt daemon is that I now have a better understanding of the options in the MercuryS Compliance tab and of the potential value of transaction filtering as way to immediately blacklist an IP address that has been identified as repeated trying to gain access.  My "refuse" entries in Connection Control have been removed opting for transaction filtering rules instead. </p><p>I've standardized the rules as per below with only the IP address changing but welcome suggestions on a better or more appropriate way of doing this. </p><p>H, "*192.156.225.99*", BS, "554 Relaying not allowed - connection dropped" </p><p>I'm anxious to see the effects of this change in conjunction with SmtpEvt.</p>

I'm trying to figure out the best way to utilize the SmtpEvt daemon to help control the attacks on MercuryS.  Please help with the following questions.

Volume is low so is I don't think I need trntrack.dll but is it necessary in order to benefit from IP address blocking, watchlist_count, and watchlist_minutes?

What is the difference between watchlist and blacklist?

Thanks!

<p>I'm trying to figure out the best way to utilize the SmtpEvt daemon to help control the attacks on MercuryS.  Please help with the following questions.</p><p><span style="font-size: 10pt;">Volume is low so is I don't think I need trntrack.dll but is it necessary in order to benefit from IP address blocking, watchlist_count, and watchlist_minutes?</span></p><p>What is the difference between watchlist and blacklist?</p><p><span style="font-size: 10pt;">Thanks!</span></p>

The SmtpEvt daemon will block connecting IP addresses that repeatedly fail to authenticate (or otherwise misbehaves) within a certain time span. The first failure puts the IP address on the watchlist, and depending on the settings in the ini file it will then be blocked (blacklisted) after some more failures.

trntrack.dll is needed only to set the time IP addresses will remain blocked, otherwise Mercury's built-in blacklist is used (fixed block of 30 minutes).

<p>The SmtpEvt daemon will block connecting IP addresses that repeatedly fail to authenticate (or otherwise misbehaves) within a certain time span. The first failure puts the IP address on the watchlist, and depending on the settings in the ini file it will then be blocked (blacklisted) after some more failures.</p><p>trntrack.dll is needed only to set the time IP addresses will remain blocked, otherwise Mercury's built-in blacklist is used (fixed block of 30 minutes).</p>

Thanks Rolf.  I don't know that SmtpEvt is going to help much.  What I'm seeing is Auth Login failures from the same IP in groups of anywhere from 3-15, then they'll stop for anywhere from 3 to a few days then another group, rinse, repeat.  This is happening from a number of different IP addresses.  When I identify one I block its .0-.255 range using Content Control but its not long before a new IP address takes its place.   For now I'll set the watchlist_count trigger in SmtpEvt to 3 to limit the blocks of attempts.

Edit:  Oops.  Meant Connection Control, not Content Control. 

<p>Thanks Rolf.  I don't know that SmtpEvt is going to help much.  What I'm seeing is Auth Login failures from the same IP in groups of anywhere from 3-15, then they'll stop for anywhere from 3 to a few days then another group, rinse, repeat.  This is happening from a number of different IP addresses.  When I identify one I block its .0-.255 range using Content Control but its not long before a new IP address takes its place.   For now I'll set the watchlist_count trigger in SmtpEvt to 3 to limit the blocks of attempts.</p><p>Edit:  Oops.  Meant Connection Control, not Content Control. </p>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft