Spam Filter ISP Support - SMTP AUTH and IP CACHE BLACKLIST

SMTP AUTH and IP CACHE BLACKLIST

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6669
Printed Date: 13 January 2025 at 9:16pm

Topic: SMTP AUTH and IP CACHE BLACKLIST

Posted By: rudaf
Subject: SMTP AUTH and IP CACHE BLACKLIST
Date Posted: 11 May 2009 at 7:48am

Envirnoment

SFE 4.1.2.808

DB MSSQLSVR 2000 STD SP4

WIN 2000 SP4

We have implemented SMTP AUTHENTICATION feature using UNIX STyle pswd in order to use SFE as SMTP AUTH relay server.

Here the architecture

Incoming SMTP connection

SMTP AUTH (SFE3) -> KO -> reject

Mail server

Remote Recipient

Now we are facing this problem: according to general rules of SFE governing potential spammers ips, if an user fails to authenticate himself due to an error entering the password in its outlook client, SFE considers him as a potential spammer and its IP is placed in IP CACHE BLACKLIST (temporary). If it come in error for three times the IP is blacklisted for 60 mins.

That's really good to fight incoming spam, but is really a curse for SMTP relay purposes. Imagine the scenario:

A lan with 200 users. 200 private IPs and 1 public/static IP. Just 1 user fails 3 times to authenticate himself in SMTP AUTH, SFE blacklist such a public IP and 199 users stop to send mail for 1 hour!!!

As workaround we added in Spamfilter.ini, "DoNotAddIPToHoneypot = [public IP]" but this is a weak solution.

We are a service provider and we cannot always know any single potential IP SMTP AUTH traffic will come from.

What can you suggest? On our side we can suggest to avoid temporary blacklisting when using SMTP AUTH feature.

Regards.

Replies:

Posted By: LogSat
Date Posted: 11 May 2009 at 11:41pm

While you could reduce the IP blacklist cache duration from 60 minutes to just about 10 minutes or so, we would actually suggest the following.

Configure your SpamFilter to listen for incoming SMTP traffic on port 25 for regular mail, without implementing SMTP AUTH.

On the same server install another copy of SpamFilter, but configure it to listen for SSL traffic on port 465, and implement SMTP AUTH on this second instance. Configure this SpamFilter to reject all emails (for example either by having a non-existent domain in the "Local Domains", or by adding just one non-existent user to the AuthorizedTO whitelist). Then have your users configure their mail clients to use SSL for SMTP Authentication. This will (1) add increased security as their login information will be encrypted, and (2) will allow them to relay without the blacklist cache issues present on the primary server.

To use SSL you will need to configure an SSL certificate in SpamFilter, we have documentation on how to proceed in the manual.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: rudaf
Date Posted: 12 May 2009 at 4:21am

That's sound as a good solution. We will test it not in SSL mode to avoid impact on users settings but only working on firewall rules, and running a new istance of SFE listening on different port then the other one dedicated to SMTP AUTH traffic.

This could work.

I'll let you know

Regards