White list for BFM

zEitEr

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
15,366
Location
www.poralix.com
Hello,

I'd like to suggest implementing of white list for BFM (of course if it does not exist yet).

As we can not block 127.0.0.1, I'd like to have an ability to add it in a white list, so BFM do not warn us about this.

And other strange brute forcing attack is being done on an email account from Google IPs, as if somebody has added an email into Gmail and tries to get access into it. So again, I don't see how it is possible to block Google IPs, so I'd like to add such an email into a while list, to prevent hundreds letters about the issue.

p.s. Google did not honor us with a reply on our abuse, unfortunately.

Thanks and regards,
 
Wouldn't you still want to know if you're being attacked from inside your system?

Jeff
 
Of course, it's useful and important to know that. Do you have any other suggestions or ideas on the subject? Maybe then it would be better to have 4 white lists: global, exim only, dovecot only, ftp only?

Should I care if somebody is brute-forcing web-mail? Maybe, yes. I'll go and read apache logs and try to find IP and block it.

Should I care if somebody is attacking FTP server from inside? Maybe, yes again. But it might be harder to find out an attacker.

Who would ever want to brute-force exim from inside? If it allows outgoing emails from 127.0.0.1 by default (if this policy is not changed yet). Only one case is coming to my mind, if somebody want to get password for an email account for reading(?) emails. But have you ever met anything of this kind?

And IP 127.0.0.1 is only a particular case. There might be other cases, when it's important to keep an IP from blocking. Of course, I can add an IP in my auto blocking script to prevent banning. But it won't save me from warning messages.

We've got some cases with our customers, when a person goes onto a vacation and leaves his/her PC and a mail program switched on. Password was changed on a server by their IT specialist, but the program kept on "attacking" our server.

In my mind any security system should have a white list, and it's responsibility of a server administrator about which IPs and emails to put there.
 
The attack could be coming from a compromised binary on the server.

Jeff
 
I've just seen "Add to Skip List" button on BFM page. Is it what I think and asked about? Is it white-listing?
 
You must log in or register to reply here.
Back
Top