Tarpitting POP3 and IMAP logins

This forum contains features that has been archived. This section contains implemented features, duplicate requests, and requests which we have decided not to implement.
Post Reply

Do you need this feature?

Yes
76
97%
No
2
3%
 
Total votes: 78

DSmidgy
Normal user
Normal user
Posts: 36
Joined: 2004-05-12 15:48

Tarpitting POP3 and IMAP logins

Post by DSmidgy » 2005-09-03 11:14

I think tarpitting (for SMTP) could be implemented for POP3 and IMAP too.

If user (IP) tryes to connect to one account unsuccessfully (wrong username/password) for a X number of times, his IP gets blocked (tarpitted) for Y seconds.

Aldoir
Normal user
Normal user
Posts: 59
Joined: 2005-12-01 12:20

Important feature

Post by Aldoir » 2005-12-01 12:24

I consider it a important feature for security concerns, preventing brute force attacks

A simple sleep() call after an unsuccessful login attemp should solve this issue

great job Marin

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2005-12-01 17:20

Hi guys.

This has already been discussed here

http://www.hmailserver.com/forum/viewtopic.php?t=3093

If you want this feature vote for it. but lets keep it in one thread.

Michael
Missing Hmailserver ... Now running Debian servers

Aldoir
Normal user
Normal user
Posts: 59
Joined: 2005-12-01 12:20

Post by Aldoir » 2005-12-01 22:49

Slug,

Both are useful security enhancements, but are different things.

Dictionary attacks against SMTP are not the same thing as Brute force password attack

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2005-12-02 03:49

....
Last edited by Slug on 2005-12-02 12:31, edited 1 time in total.
Missing Hmailserver ... Now running Debian servers

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2005-12-02 03:49

Aldoir wrote:Slug,

Both are useful security enhancements, but are different things.

Dictionary attacks against SMTP are not the same thing as Brute force password attack
Howdi Aldoir

I made mention in my very first post in that thread about dictionary attacks.

Regards
Michael
Missing Hmailserver ... Now running Debian servers

CraigHarris
Senior user
Senior user
Posts: 886
Joined: 2005-11-28 11:43

Post by CraigHarris » 2005-12-05 12:59

Although this would be a good feature, shouldn't secure support with hMail be a priority as without such the password is sniffable anyway.
(I've read the discussions here about stunnel & difficulty of integrating that functionality, but it would be nice to have it, then IP checks work.)

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-12-05 13:18

What does SSL support has to do with tarpitting? Installing stunnel and set it up to work with hMailServer already really easy..

CraigHarris
Senior user
Senior user
Posts: 886
Joined: 2005-11-28 11:43

Post by CraigHarris » 2005-12-05 13:47

Because hMail doesn't get the IP address to block if it is going via stunnel on the local machine.

Aldoir
Normal user
Normal user
Posts: 59
Joined: 2005-12-01 12:20

Post by Aldoir » 2005-12-09 13:55

CraigHarris,

There are different problems, and I think they should be treated differently

I think that 99% of the "real world" do not use SSL for email connections, so preventing brute force attacks will be very very useful, specially in this case, when there are low impact in the development. A simple sleep() call without any config settings will help this problem

Implementing SSL in a software is a big trouble, and should have a special attention when decided to implement

3zero2
New user
New user
Posts: 8
Joined: 2006-01-05 16:31

Post by 3zero2 » 2007-05-16 13:29

has anything been done regarding this problem?

User avatar
SuperMau
New user
New user
Posts: 19
Joined: 2006-11-24 02:20
Location: Mexico
Contact:

Login Suspend

Post by SuperMau » 2007-05-19 00:18

It would be very useful, some servers implement it as "Login Suspend" with: Max tries before suspend, Suspend duration, time to live of suspend info, maximus suspends before deactivating.

Two thumbs up!

c0r2ar0
New user
New user
Posts: 27
Joined: 2007-06-12 16:46
Location: Italy

Post by c0r2ar0 » 2007-06-15 08:01

I thinks is very important to have this feature implemented soon.

Thanks,
Paolo

Kaan1983
Senior user
Senior user
Posts: 595
Joined: 2007-01-30 16:26
Location: TÜRKIYE

Post by Kaan1983 » 2007-06-15 15:15

R we talking about someone passed win server with dict attack and trying to get in hMailServer with dict attack too?

I would even think that windows login should be enough for hMail login too.. Just like SQL Server 2005 does... It's better to use windows login rather then SQL login regarding safety issues...

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Post by ^DooM^ » 2007-06-23 11:58

Well my servers were brute force attacked a few days ago. They didn't get in but it did slow traffic down a bit and increased log size by around 300 meg. I blocked the attacking IP's at my firewall and all ceased till the next time ;)

Can we have this feature now please Martin :D

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2007-06-24 09:39

I too would like to see this implemented.

Michael
Missing Hmailserver ... Now running Debian servers

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2007-08-29 15:46

bump

westdam
Senior user
Senior user
Posts: 728
Joined: 2006-08-01 21:24
Location: Padova, Italy
Contact:

Post by westdam » 2007-08-30 01:26

hehe , let's see what martin will do..

plumsauce
Normal user
Normal user
Posts: 43
Joined: 2007-09-11 08:37
Contact:

Post by plumsauce » 2007-09-15 10:37

The Windows and Netware login suspension models work very well.

Implementing this when the user accounts are in a db is fairly simple.

I have done this by incrementing a failed login counter that is reset on a successful login. If the failed login count reaches the defined threshold, the "wait until" field of the user account is set to X minutes in the future. This alleviates support problems because the accounts are self restoring.

The one caveat here is accounts used by automated processes. If that account gets locked out, then the process is effectively dead for the duration.

When using this model, my designs never tell you *why* the account is locked out. Just the fact that it *is* locked out. That way the brute forcer has to guess whether the account exists or not, or if it was the password. Never give them a clue that helps to cut down the scope of guesses.

c0r2ar0
New user
New user
Posts: 27
Joined: 2007-06-12 16:46
Location: Italy

Post by c0r2ar0 » 2007-10-31 20:12

I agree with ^DooM^.
On our mailserver that hosts about 40 mail domains we get a brute force attack about 3-4 days per month!
Fortunately that our customers use strong passwords for their mailboxes, but I don't know how long it'll last!!

In also our mail logs increase a lot (about 50-60 mb instead of 5-6 mb!!).

Please martin consider seriously to have this feature soon!!

In also because I think that if someone can get in one mailbox, it starts to send spam everywhere in few minutes!!

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2007-12-27 10:44

bump :wink:
Missing Hmailserver ... Now running Debian servers

redrummy
Senior user
Senior user
Posts: 370
Joined: 2007-06-21 06:52
Location: Alaska

Post by redrummy » 2007-12-27 11:30

I'll throw in another "YES" vote. Better to slow down any attacker, no matter what the angle...

duke16
Normal user
Normal user
Posts: 40
Joined: 2007-03-20 12:13

Post by duke16 » 2008-03-05 15:47

Is this included in the betas by chance?

mooen
New user
New user
Posts: 1
Joined: 2008-04-25 18:59
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by mooen » 2008-04-25 19:12

:D bump :P

3zero2
New user
New user
Posts: 8
Joined: 2006-01-05 16:31

Re: Tarpitting POP3 and IMAP logins

Post by 3zero2 » 2008-07-03 01:26

any updates?

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by martin » 2008-07-03 12:23

No, this won't be included in 5.0. Probably in 5.1 or some other close version. (Did not have enough votes when 5.0 scope was set)

cracknix
New user
New user
Posts: 9
Joined: 2008-11-10 06:20

Re: Tarpitting POP3 and IMAP logins

Post by cracknix » 2008-11-10 06:23

same chinese problem... it's quite anonying to add manual ip adresses by hand. unfortunally we have chinese customers
otherwise the whole country would be already on blacklist :shock:.

This feature is really needed

HansKruemmer
New user
New user
Posts: 1
Joined: 2008-11-10 15:46

Re: Tarpitting POP3 and IMAP logins

Post by HansKruemmer » 2008-11-10 16:01

Hello,
we running hMailserver for about 30 Domains and logfile size increased the last weeks dramaticly by wrong login attempts
on the smtp and imap service. We know not the passwords of our customers, but they attacking the info@ accounts
on the proper domains. So it's only a matter of time and a weak password of our customers untill they get a login
for relaying spam. We added also some rules for IPs in the firewall, but this doesn't help because
the used ips for hacking have no pattern. We assume to switch preventive to another mailserver or searching at least for
a proxy which gives us more protection.

But better would be a implementing this feature in some of the next releases.
I'm not sure if its a big deal but a table with ip and date could do the job.

Option like this in the Administrator vor SMTP and IMAP would be for our needs enought:

within X minutes - Y wrong login attempts - block ip for Z minutes

Thanks and kind regards,
Hans.

mdwait
Normal user
Normal user
Posts: 57
Joined: 2007-03-15 21:48
Location: NRH,TX
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by mdwait » 2008-11-22 18:26

Here are my three requests...
a.) I am getting a lot 'heat' from management because the Userid's have to be
email addresses. In fighting the security war.. if you know someone's email
address, then you already know one half of what is needed to break in to
the account. It is a great request of ours to make the ability to have user
ID's not be (or have to be the email address). We would/could write our
own interface to make a new user ID; if the rest of the hmailserver would work.
b.) Tarpitting seems to be on the increase... so yes I vote for tarpitting too.
.. and the third will be covered under some where (else) - has to do with limiting number of outgoing emails by Userid.
hmailsvr 4.4/5.1 ~MS-SQL 2000/2008 ~VB6,VB.NET 2005~ASP.NET

westdam
Senior user
Senior user
Posts: 728
Joined: 2006-08-01 21:24
Location: Padova, Italy
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by westdam » 2008-12-01 14:49

damn, was attacked too in last weekend and yes i need it :D

User avatar
DFitch
Senior user
Senior user
Posts: 258
Joined: 2006-09-16 20:40

Re: Tarpitting POP3 and IMAP logins

Post by DFitch » 2008-12-01 21:15

2 thumbs UP!
hMailServer 5.3.3: External MySql
Win2k3 Server | eWall 4.0 Anti-Spam Anti-Virus SMTP Proxy {http://sssolutions.net/}
SpamAssassin 3.31 - ClamAV on backend Ubuntu Server 10.04(VMware)

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by martin » 2008-12-22 20:28

I'm thinking of making the following implementation:

Whenever a user fails to log on, a row is added to a table containing unsuccessful log ons. The table will contain the following:

- Timestamp (time of failure)
- IP address

(Every minute, an internal task is run which purges rows where time-stamp is older than X minutes (configurable))

When a user fails to log on, hMailServer will check if there are more than Y (configurable, default 5) rows in the table matching his IP address. If there is, a new IP range will be added. This new IP range will have an expiry date set, which will be the current time + Z minutes (configurable, default 30). After this time has passed, the IP range will be removed automatically.

So every IP range will be either permanent (the default ones) or temporary with an expiry-date.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Tarpitting POP3 and IMAP logins

Post by ^DooM^ » 2008-12-23 00:55

Sounds perfect.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

brucestr21
Normal user
Normal user
Posts: 96
Joined: 2008-06-23 18:47

Re: Tarpitting POP3 and IMAP logins

Post by brucestr21 » 2008-12-23 01:00

I agree... sounds great!
hMailServer v5.2.1 Build 360
XAMPP 1.70
Horde Groupware Webmail 1.2.3
Windows Server 2003 SBS

DeanoX
Senior user
Senior user
Posts: 480
Joined: 2005-11-05 00:07
Location: Michigan

Re: Tarpitting POP3 and IMAP logins

Post by DeanoX » 2008-12-23 02:46

Hello,

This is great.

Would we be able to view/unlock an account?


Thanks,
-Dean
hMailServer 5.4.2-1964, mysql, ClamAV, SpamAssassin, SquirrelMail, GeoIP.
hMailServer Support Services for US Based Clients.
Low Rates, Quick Service. Send a Private Message for More Information.

User avatar
mattg
Moderator
Moderator
Posts: 20788
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Tarpitting POP3 and IMAP logins

Post by mattg » 2008-12-23 04:14

http://www.hmailserver.com/forum/viewto ... 452#p76452

I didn't realise when I posted that this is across multiple threads.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by martin » 2008-12-23 09:59

DeanoX,
You will be able to delete the automatic IP ranges just as any other IP ranges.
If you don't want some IP range to be blocked by this automatic blocker, you can create your own IP range matching the same IP address but give it higher priority.

At least that's how it will work in my mind. I haven't started coding yet. :)

mdwait
Normal user
Normal user
Posts: 57
Joined: 2007-03-15 21:48
Location: NRH,TX
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by mdwait » 2008-12-23 15:12

Martin - that would be great (what you have suggested). It would match my needs exactly.
hmailsvr 4.4/5.1 ~MS-SQL 2000/2008 ~VB6,VB.NET 2005~ASP.NET

DeanoX
Senior user
Senior user
Posts: 480
Joined: 2005-11-05 00:07
Location: Michigan

Re: Tarpitting POP3 and IMAP logins

Post by DeanoX » 2008-12-23 17:51

Martin,

If possible, could those ip ranges be placed outside of the current ip ranges?, a separate tab and display maybe?


Thanks,
-Dean
hMailServer 5.4.2-1964, mysql, ClamAV, SpamAssassin, SquirrelMail, GeoIP.
hMailServer Support Services for US Based Clients.
Low Rates, Quick Service. Send a Private Message for More Information.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by martin » 2008-12-23 18:24

Haven't thought much about the user interface for it yet.
They will be separated from the "normal" ip ranges in some way. Not sure how yet.

I'm leaning towards having "radio" buttons where the user can choose whether he wants to show all, show permanent or show temporary. "Show permanent" will probably be selected by default. Adding new sections in the user interface just to display this seems a bit unnecessary. These temporary IP ranges will still be IP ranges in every aspect.

DeanoX
Senior user
Senior user
Posts: 480
Joined: 2005-11-05 00:07
Location: Michigan

Re: Tarpitting POP3 and IMAP logins

Post by DeanoX » 2008-12-24 18:22

Martin,

The reason I ask them to be placed elsewhere, is that our remote staff, adds and removes ip ranges daily. And at least twice a week, I have to go in and fix, permanent ip ranges that should not have been changed, or that were deleted, or remove the ones they did not delete after use. :(

I think that adding temporary ip ranges, would mean even more interaction with ip ranges by staff, equaling more potential problems.

The radio button idea is nice, but maybe showing temporary by default, would be a better idea. Make then drill down, to see a permanent ip range.

Also, maybe a button to create a temporary range. That way staff would not have to even create permanent ip ranges for themselves, and those would be removed after a certain amount of time.

People rarely read what they are clicking on, or follow any implicit directions, on how to do something.
But when something stops working, I get all the frantic and demanding calls.

IMHO, I wish there were some way to add a type of user control, or permissions, as to what remote staff could access and or change. That would be nice.

I realize this is all academic at this point, but I hope I am helping with some ideas.


Thanks,
-Dean
hMailServer 5.4.2-1964, mysql, ClamAV, SpamAssassin, SquirrelMail, GeoIP.
hMailServer Support Services for US Based Clients.
Low Rates, Quick Service. Send a Private Message for More Information.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by martin » 2009-01-02 12:22

Here's the new highly complex settings. :)
autoban.png
autoban_iprange.png
The name of the IP range includes the username which failed to log on. This is only for informational purposes. It doens't have any actual effect, other than informing the administrator what user name caused the IP range to be created. (Also, the name will start with "Auto-ban" and not "AutoBan" as indicated in the screenshot).

To separate the temporary from the permanent, I will probably just list all the permanent first and after them all the temporary ones.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Tarpitting POP3 and IMAP logins

Post by ^DooM^ » 2009-01-02 13:26

Nice work. Would it be a pain to make the auto ban text in the list red? Just makes it easier to see in my opinion.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by martin » 2009-01-02 13:56

Do you mean in the "tree" to the left? I've updated it in the left "tree" and in the list which appears when you select "IP ranges" (so that the color of the text is red).

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Tarpitting POP3 and IMAP logins

Post by ^DooM^ » 2009-01-02 13:58

Yes that is where I meant, thank you :)
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by Slug » 2009-01-02 15:26

Excellent, Now that's on fire :-)

Cant wait to upgrade the main server as I get hammered almost daily now ??

Michael
Missing Hmailserver ... Now running Debian servers

andyp
Normal user
Normal user
Posts: 191
Joined: 2008-01-18 21:00

Re: Tarpitting POP3 and IMAP logins

Post by andyp » 2009-01-02 15:37

In November they hacked one of my SMTP accounts and send a lot of spam until I realized it. Since that time it is no exception that someone tries 5000 logins in 30 min. In most cases from Asia.

Will this feature be in v5 now? I though it wouldn't! Already though of writing a .Net application searching the log files and providing an IP blacklist. I am reeeaaally looking forward to it?

Having these block list in a separate list and not in IP ranges would be nice. Maybe below autoban or another tab in autoban.

Nice work!!!

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by martin » 2009-01-02 15:40

> Will this feature be in v5 now?

No, in 5.1.

> Having these block list in a separate list and not in IP ranges would be nice.

Other people have suggested the opposite. It's good to have them in one place since they affect each-other. For example, you may want to add another IP range to override a auto-ban entry.

andyp
Normal user
Normal user
Posts: 191
Joined: 2008-01-18 21:00

Re: Tarpitting POP3 and IMAP logins

Post by andyp » 2009-01-02 15:48

This list might get long, at least my log files indicate this.

Sorry, overread
> To separate the temporary from the permanent, I will probably just list all the permanent first and after them all the temporary ones.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by martin » 2009-01-02 15:49

Well, the idea is that you shouldn't block IP addresses forever. Doing that is a bad idea.

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by Slug » 2009-01-02 15:51

martin wrote: Other people have suggested the opposite. It's good to have them in one place since they affect each-other. For example, you may want to add another IP range to override a auto-ban entry.
At this time I can see pluses and minuses for both systems. I will wait and try it before I make a comment.
Missing Hmailserver ... Now running Debian servers

mdwait
Normal user
Normal user
Posts: 57
Joined: 2007-03-15 21:48
Location: NRH,TX
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by mdwait » 2009-01-31 20:23

Is this still to be implemented in 5.1??
hmailsvr 4.4/5.1 ~MS-SQL 2000/2008 ~VB6,VB.NET 2005~ASP.NET

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Tarpitting POP3 and IMAP logins

Post by ^DooM^ » 2009-01-31 20:28

Come on 5.1, I got slammed again on a brute force attack :cry:
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by martin » 2009-01-31 20:47

5.1 alpha will probably be put up now on Monday.

Edit: Okay, tuesday it is.

brucestr21
Normal user
Normal user
Posts: 96
Joined: 2008-06-23 18:47

Re: Tarpitting POP3 and IMAP logins

Post by brucestr21 » 2009-02-01 04:12

Looks great Martin! I'm ready for 5.1!
hMailServer v5.2.1 Build 360
XAMPP 1.70
Horde Groupware Webmail 1.2.3
Windows Server 2003 SBS

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Tarpitting POP3 and IMAP logins

Post by martin » 2009-02-03 13:55

Moving to archive since it's included in 5.1.

Post Reply