is there any way to configure the domino server to ignore connection requests when after X amount of attempts are made to use the domino server as a relay for spam? i have had instances in the past few months of hosts “demon dialing” our mail server in what looks like either a DOS attack or a spambot attack. couple excerpts from our log file:
06/30/2015 04:29:02 AM SMTP Server: host233-207-static.39-88-b.business.telecomitalia.it (88.39.207.233) disconnected. 0 message[s] received
06/30/2015 04:29:02 AM SMTP Server: host233-207-static.39-88-b.business.telecomitalia.it (88.39.207.233) disconnected. 0 message[s] received
06/30/2015 04:29:03 AM SMTP Server: host233-207-static.39-88-b.business.telecomitalia.it (88.39.207.233) disconnected. 0 message[s] received
06/30/2015 04:29:03 AM SMTP Server: host233-207-static.39-88-b.business.telecomitalia.it (88.39.207.233) disconnected. 0 message[s] received
06/30/2015 04:29:03 AM SMTP Server: host233-207-static.39-88-b.business.telecomitalia.it (88.39.207.233) disconnected. 0 message[s] received
06/30/2015 04:29:03 AM SMTP Server: host233-207-static.39-88-b.business.telecomitalia.it (88.39.207.233) disconnected. 0 message[s] received
this goes on and on from 2am this morning until I opened up the server console this morning at 6am.
Subject: Rogue Server
I wish I had the ability to create what we used to call back in the DOS days as a TSR that would perform the blacklist of this type of hack attempt. Most of these I’m quite certain originate from a host different than what displays in the connect string and so there is possibly no real way to blacklist the correct entry but at least it would eliminate the attempt in the beginning. Thanks for taking the time to help… On to another subject.
Subject: Relay Controls
Thanks for the input Chad. Currently our Domino server is fairly locked down and have all the relaying controls in place. I was interested in knowing if there is a mechanism built into Domino similar to what Microsoft has for IIS 7.5 and 8 where if a connection is repeatedly initiated, it will “blacklist” the IP and/or sender and simply ignore/reject any further connection requests. It’s somewhat specialized but it definitely works as the hack attempts on our FTP server went from thousands a day to virtually none. Of course, it’s functionality is governed by how many attempts are made over a predetermined amount of time.
Subject: Not aware of anything out of the box for that
You can certainly blacklist a host, but I’m not aware of an out-of-box feature that will provide a threshold after which connections will be blocked. If you want to pursue it, there’s an extension manager hook SMTPConnectEMCallback that would allow you to interrogate the incoming connect request, perform your own detection logic, and then handle the request accordingly.
Subject: You indicated Windows but…
I’d be curious to know if this method still works. This post is from 2009 and a few things have changed since then. Anyone know? Might be enough to make a Linux convert out of you. =)
Chris A. Brandlehner BLOG | Protect your IBM Lotus Domino Server against brute force attacks on non HTTP ports http://www.brandlehner.at/Brandlehner/cab_blog.nsf/d6plinks/CBRR-7NSD6R
Subject: Fail2Ban
Ben,
That method is exactly what I am trying to find. It is similar if not identical to what Microsoft made available for IIS 7.5 and what comes natively in IIS 8. If I had a Linux based installation, I would definitely be working it to see it operate, unfortunately, I’m a 2008R2 platform. There must be an IBM coder who could place that functionality into the Domino server… would sure eliminate a lot of hack attacks.