need filter to block someone sending too many emails

Junior Member
User avatar
Posts: 11
Joined: Wed Feb 15, 2012 4:06 pm

need filter to block someone sending too many emails

Postby anthonyc » Tue Mar 19, 2013 9:50 pm

i need a filter to block someone sending too many emails .. that includes local and non-local accounts. We keep getting hacked ... something, someone is creating a "test@mydomain.com" account on mydomain. They then spam 50,000 people and we get burned for it.

Option 1)
I want to put a cap on 100 emails from one IP, more than that, the IP is blocked for 90 days.

Option 2)
Maybe rather than fight them, maybe we can trick them instead. (not sure if this is a good idea)
If someone sends more that 100 emails, maybe eWall can strangle the emails. That is, log the IP for a future block (not this session) but let the spammer think they are actually sending the emails, but instead just delete them. That is, the spammer should not realize he failed to send.

This is the 3rd time it's happened. I am very frustrated. I have looked up and down to see how the F*K these guys can do this, but i have found nothing. Virus scan is useless.

I can read PHP code ok, but i just don't have the skill to write a good filter.

many thanks,
ac

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: need filter to block someone sending too many emails

Postby Alexander Telegin » Wed Mar 20, 2013 4:26 pm

Ok, I'll try to make such filter.

Junior Member
User avatar
Posts: 11
Joined: Wed Feb 15, 2012 4:06 pm

Re: need filter to block someone sending too many emails

Postby anthonyc » Thu Mar 21, 2013 12:15 pm

that would be awesome thanks Alex.

BTW, seeing as the hackers use the fake account test@mydomain.com, i created test@mydomain post office on mailenable and disabled it. Then in eWall, i added the filter that if someone tries to logon in with test@(list of my domains), then i add them to the bad IP list, trarpit, disconnect, stop all filters.

Identifying a high # of failed logons would be good too because it lets me keep a close eye on my server. I could block the attacker, i can also send myself an email to be alerted that my server is getting attacked, etc.

thanks again,
ac

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: need filter to block someone sending too many emails

Postby Alexander Telegin » Sat Mar 30, 2013 12:30 pm

Anthony,

I added new filter to repository called "Email counter by IP". Please unpack attached archive into eWall installation directory by replacing api\repository.xml and sql.xml, then re-start eWall service. Open Control Panel, go to Filters and select New filter from Repository. You will find this filter under Anti-spam category. The settings are self-explaining but let me know if you have any questions.

Regards,
Alex

email_counter_by_ip.png
email_counter_by_ip.png (21.46 KiB) Viewed 2156 times
Attachments
email_counter_ip.zip
(15.85 KiB) Downloaded 131 times

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: need filter to block someone sending too many emails

Postby Alexander Telegin » Sat Mar 30, 2013 12:32 pm

anthonyc wrote:Identifying a high # of failed logons would be good too because it lets me keep a close eye on my server. I could block the attacker, i can also send myself an email to be alerted that my server is getting attacked, etc.


This is exactly what "Block harvesters" filter does: it counts the number of non-existing recipients.

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: need filter to block someone sending too many emails

Postby Alexander Telegin » Sat Mar 30, 2013 12:35 pm

If you want the sender think that emails still pass through, then set Block IP to "No" and set reply to "250 OK".

Junior Member
User avatar
Posts: 11
Joined: Wed Feb 15, 2012 4:06 pm

Re: need filter to block someone sending too many emails

Postby anthonyc » Fri Feb 02, 2018 5:58 am

Alexander Telegin wrote:
anthonyc wrote:Identifying a high # of failed logons would be good too because it lets me keep a close eye on my server. I could block the attacker, i can also send myself an email to be alerted that my server is getting attacked, etc.


This is exactly what "Block harvesters" filter does: it counts the number of non-existing recipients.



Its different. An email account on my mail server was compromised and servers sent thousands of spam messages from my server. Once i disabled the compromised account, those spam servers kept trying to login to my server. They all have ~15 attempts to login before they give up. But ewall does nothing to block them in the future. I want a filter that counts the number of "failed login attempts" within a set amount of time. Allow us to set the number-of-attempts ... per time-period. e.g. 5 failed attempts per 15 minutes then block user (ban ip)

there is no way to do this right now. Again, we can catch this on connection when the "spammer" tries to login.

thanks Alex.
Anthony

Return to Filters and scripts

Who is online

Users browsing this forum: No registered users and 1 guest