Dictionary attack. How to unblock IP address

This is the Mailtraq Peer Support forum. Get assistance using and managing Mailtraq, and help others solve problems too.

Dictionary attack. How to unblock IP address

Postby jeromedavies2 » Mon May 30th, 2016 8:27am

I posted this message previously about an error that I either mis-diagnosed or cleared itself, but it raised a question for me that I think is worth asking as I couldn't find a reference anywhere.

How do I unblock an IP address that has been erroneously blocked by Mailtraq suspecting that it is a Dictionary Attack?

One of my users had an iPhone that was misconfigured, somehow the password had been changed and Mailtraq assumed it was a dictionary attack.

Does it clear when it gets correct credentials from that IP address?
jeromedavies2
 
Posts: 61
Joined: Thu Jan 11th, 2007 5:42am

Re: Dictionary attack. How to unblock IP address

Postby Martin Clayton » Tue May 31st, 2016 12:55pm

jeromedavies2 wrote:iPhone that was misconfigured [...] Mailtraq assumed it was a dictionary attack.
Does it clear when it gets correct credentials from that IP address?

I'm not sure exactly how it works but after reading Brute Force and Dictionary Attacks I'm guessing
  1. once the ip address is blocked you'd have to wait up to 30 minutes
  2. whitelisting the ip address under any service property wont help
  3. restarting Mailtraq might clear the fault count
User avatar
Martin Clayton
Expert User
 
Posts: 529
Joined: Sat Jan 15th, 2005 8:20am
Location: London, UK

Re: Dictionary attack. How to unblock IP address

Postby jeromedavies2 » Wed Jun 01st, 2016 4:06am

Thanks Martin.

I suppose a dialogue to clear IP addresses would fall under "yet another thing the users asked for" :-)

J
jeromedavies2
 
Posts: 61
Joined: Thu Jan 11th, 2007 5:42am

Re: Dictionary attack. How to unblock IP address

Postby Martin Clayton » Wed Jun 01st, 2016 2:52pm

jeromedavies2 wrote:I suppose a dialogue to clear IP addresses would fall under "yet another thing the users asked for" :-)


Yup. And, in this case, arguably, there's no need to 'fault' attacks from an address with a one-word dictionary.

Aside: it's not many people's cup of tea but scripting can step in where feature creep fears to tread. For example, I'm using perl to monitor Mailtraq logs to carry out rhsbl and/or whois lookups - under certain conditions - and update Mailtraq sender barring. I've been considering extending the range of actions to include ip address barring as some single-session attacks appear to get under the Dictionary Attack Manager. It's straightforward to track instances of, say, "EHLO ylmf-pc ---> 250" and "---> 535 authentication failed" per ip address or socket but updating the services' access control for anything other than smtp may not be so easy. Killing active connections may also be an issue, although possible under ye olde web admin ... [ looks ] ... (Mailtraq|Server).ActiveConnections looks like the best bet but I can't see the way in. One for a rainy day.
User avatar
Martin Clayton
Expert User
 
Posts: 529
Joined: Sat Jan 15th, 2005 8:20am
Location: London, UK

Re: Dictionary attack. How to unblock IP address

Postby Redkite » Mon Jun 27th, 2016 11:52am

I believe it is held in a text file you can edit as i had to do this long ago i think.

Neil
Redkite
Expert User
 
Posts: 104
Joined: Mon Aug 01st, 2011 4:51am

Re: Dictionary attack. How to unblock IP address

Postby Martin Clayton » Tue Jun 28th, 2016 5:48am

Hi Neil

Redkite wrote:I believe it is held in a text file you can edit as i had to do this long ago i think.

Searching the file system for the most recent source (211.23.167.175), the only candidate I can see is in database\stats - does that ring a bell?

Code: Select all
database\reports\abuse (5 hits)
28/06/2016 10:15:24|Blacklists: Refused message (ip=211.23.167.175, helo=192.168.0.231) from (xo@munge1.example.com) to (eax_64@munge2.example.com) -- Blacklisted; xbl4. See https://www.spamhaus.org/query/ip/211.23.167.175
28/06/2016 10:15:24|Blacklists: Refused message (ip=211.23.167.175, helo=192.168.0.231) from (xo@munge1.example.com) to (eax_64@munge2.example.com) -- Blacklisted; xbl4. See https://www.spamhaus.org/query/ip/211.23.167.175
28/06/2016 10:18:06|Dictionary Attack: Barring (ip=211.23.167.175) because of too many invalid recipients in last 30 minutes
28/06/2016 10:18:12|Dictionary Attack: Barring (ip=211.23.167.175) because of too many invalid recipients in last 30 minutes
28/06/2016 10:18:17|Dictionary Attack: Barring (ip=211.23.167.175) because of too many invalid recipients in last 30 minutes

database\stats\dictionaryattack_180.log (1 hit)
20160628091806   1   211.23.167.175
User avatar
Martin Clayton
Expert User
 
Posts: 529
Joined: Sat Jan 15th, 2005 8:20am
Location: London, UK

Re: Dictionary attack. How to unblock IP address

Postby Redkite » Fri Jul 15th, 2016 10:23am

I can not really remember but i do remember the log files are all in C:\Program Files (x86)\Mailtraq\database\stats

It may be that Mailtraq looks at these and makes a decision?

I think i managed to stop an ip address being greylisted here once when things went a bit awry.

Elric would know but he seems to have disappeared.

Neil
Redkite
Expert User
 
Posts: 104
Joined: Mon Aug 01st, 2011 4:51am

Re: Dictionary attack. How to unblock IP address

Postby Martin Clayton » Fri Jul 15th, 2016 10:35am

Redkite wrote:I think i managed to stop an ip address being greylisted here once when things went a bit awry.

Yup, the greylist manager can be controlled via database/greylist (history.txt and passed.txt).

I'm not so sure about DAM and I'm still thinking a restart might clear the fault count.
User avatar
Martin Clayton
Expert User
 
Posts: 529
Joined: Sat Jan 15th, 2005 8:20am
Location: London, UK


Return to Mailtraq Support

Who is online

Users browsing this forum: No registered users and 5 guests

cron