Hexamail Vault Administration Guide - Botnets - Botnet Prevention

Botnet Prevention

Botnet Prevention Options

Botnet Prevention

   Mass mailings

By single IP
If a single client sends too many email too rapidly its usually a sign of a compromised machine (for example a virus or malware). Use these settings to specify the maximum number of email a single client should send in a specific period and what to do if this limits is exceeded. Use the "Ignore these IPs" to specify the IP of your mailserver and any webserver or other apps that may need to send large volumes of email in short periods of time. "Reject" temporarily rejects the email, no more email can be sent until the period has expired "Close Connection" closes the email client's connection to the email server, no more email can be sent until the period has expired "Block IP" closes the email client connection and blocks the IP temporarily (for 1 hour or until service restart)
Example interface
Off, Reject Mail, Close Connection, Block IP
Off
Alert Admin after
This alerts the admin after this number of email are sent by a client in the specified period
Example interface
2 - 99999 email
5 email
50 email
After IP sends
Maximum number of email that can be sent by a client in the specified period
Example interface
2 - 99999 email
10 email
50 email
in
The period to measure the maximum email count per client over
Example interface
2 - 99999 seconds
60 seconds
3600 seconds
By single user/login
If a single client sends too many email too rapidly its usually a sign of a compromised machine (for example a virus or malware). Use these settings to specify the maximum number of email a single client should send in a specific period and what to do if this limits is exceeded. Use the "Ignore these IPs" to specify the IP of your mailserver and any webserver or other apps that may need to send large volumes of email in short periods of time. "Reject" temporarily rejects the email, no more email can be sent until the period has expired "Close Connection" closes the email client's connection to the email server, no more email can be sent until the period has expired "Block IP" closes the email client connection and blocks the IP temporarily (for 1 hour or until service restart)
Example interface
Off, Reject Mail, Close Connection, Block IP
Off
Alert Admin after
This alerts the adminafter this number of email are sent by a user in the specified period
Example interface
2 - 99999 email
5 email
50 email
After user sends
Maximum number of email that can be sent by a user in the specified period
Example interface
2 - 99999 email
5 email
50 email
in
The period to measure the maximum email count per user over
Example interface
2 - 99999 seconds
60 seconds
3600 seconds
With same subject
If a multiple clients send too many email with the same subject too rapidly its usually a sign of a coordinated botnet spam attack. Use these settings to specify the maximum number of email witht eh same subject clients should send in a specific period and what to do if this limits is exceeded. Use the "Ignore these IPs" to specify the IP of your mailserver and any webserver or other apps that may need to send large volumes of email in short periods of time. "Reject" temporarily rejects the email, no more email can be sent with this subject until the period has expired "Close Connection" closes the email client's connection to the email server, no more email can be sent with this subject until the period has expired "Block IP" closes the email client connection and blocks the IP temporarily (for 1 hour or until service restart)
Example interface
Off, Reject Mail, Close Connection, Block IP
Off
Alert Admin after
This alerts the admin after this number of email are sent with the same subject in the specified period
Example interface
2 - 99999 email
8 email
50 email
After
Maximum number of email with the same subject that can be sent in the specified period
Example interface
2 - 99999 email
10 email
50 email
in
The period to measure the maximum email count
Example interface
2 - 99999 seconds
120 seconds
3600 seconds
Ignore email from IPs
This setting allows you to bypass max email rate checks for email originating from the listed IP addresses. IP addresses can include wildcards and ranges. Use this list to list any mailservers or apps you have that send out email. For example if your mailserver sends email out thru Hexamial then you may want to exclude it from the max email count checks
Example interface
127.*.*.*