Using the Dynamic Screening features, MDaemon can track the behavior of sending servers to identify suspicious activity and then respond accordingly. For example, you can temporarily block an IP address from future connections to your server once a specified number of "unknown recipient" errors occur during the mail connection from that IP address. You can also block senders that connect to your server more than a specified number of times in a specified number of minutes, and senders that fail authentication attempts more than a designated number of times.

When a sender is blocked, it is not permanent. The sender's IP address will be blocked for the number of minutes that you have specified on this dialog. Blocked addresses are contained in the DynamicScreen.dat file. It contains a list of the blocked IP addresses and the length of time each will be blocked. This file is memory resident and can be changed from the Advanced button. If you wish to edit or add the IP addresses manually using a text editor, you should create the DynamicScreenUpd.sem Semaphore File and place it in MDaemon's \APP\ folder rather than editing the DynamicScreen.dat file directly.

The "Dynamic screening (WorldClient)" section provides options that allow you to screen WorldClient connections.

Enable Dynamic Screening (SMTP, POP, & IMAP)

Click this check box to enable dynamic screening. This option screens SMTP, POP3, and IMAP connections.

Block IPs that connect more than [X] times in [X] minutes

Click this check box if you wish to temporarily block IP addresses that connect to your server an excessive number of times in a limited time period. Specify the number of minutes and the number of connections allowed in that period.

Block IPs that fail this many authentication attempts

Use this option if you wish to temporarily block IPs that fail an authentication attempt a specified number of times. This can help prevent attempts to "hack" a user account and falsely authenticate a session. This option monitors SMTP, POP3, and IMAP connections. The database of failed authentication attempts is reset at midnight each night.

...but not when they use the same password every time

By default Dynamic Screening will not block IP addresses for failing too many authentication attempts when each of the failed attempts uses the same password. This is to prevent a legitimate client from having its IP address blocked due to the client not yet being configured with a new password. Disable this option if you wish to block an IP address even when all failed attempts used the same password.

 

Limit simultaneous connections by IP to (0 = no limit)

This is the maximum number of simultaneous connections allowed from a single IP address before it will be blocked. Use "0" if you do not wish to set a limit.

Block IPs that cause this many failed RCPTs

When an IP address causes this number of "Recipient unknown" errors during a mail session it will be automatically blocked for the number of minutes specified in the Block IPs for this many minutes option below. Frequent "Recipient unknown" errors are often a clue that the sender is a spammer, since spammers commonly attempt to send messages to outdated or incorrect addresses.

Block IPs that send this many RSETs (0 = no limit)

Use this option if you wish to block any IP address that issues the designated number of RSET commands during a single mail session. Use "0" if you do not wish to set a limit. There is a similar option on the Servers screen under Server Settings that can be used to set a hard limit on the allowed number of RSET commands.

Block IPs and senders for this many minutes

When an IP address or sender is automatically blocked, this is the number of minutes the block will last. When the block expires the IP or sender will be able to send to you again normally. This feature prevents you from accidentally blocking a valid IP address or sender permanently.

 

Close SMTP session after blocking IP

Enabling this option causes MDaemon to close the SMTP session after the IP address is blocked.

Do not block IP when when SMTP authentication is used

Click this checkbox if you want senders who authenticate their mail sessions before sending to be exempt from Dynamic Screening.

White list

Click this button to open the Tarpit/Dynamic Screening white list. IP addresses listed there are exempt from tarpitting and dynamic screening.

Advanced

Click this button to open the DynamicScreen.dat block list. This lists all IP addresses that have been blocked by Dynamic Screening. You can manually add IP addresses and the number of minutes to block them by listing them one entry per line in the form: IP_address<space>Minutes. For example, 192.0.2.0 60.

 

Maximum authentication failures allowed in a mail session

This is the maximum number of failed authentication attempts allowed in a mail session before the actions below (if any) are taken. This is set to 10 by default.

Freeze accounts that exceed the max authentication failures allowed

Check this box if you wish to freeze accounts that fail more than the designated number of authentication attempts. If an account is frozen an email is always sent to the postmaster. Replying to that email will re-enable the account.

...but not when they use the same password every time

When you elect to "Freeze accounts that exceed the max authentication failures allowed," by default MDaemon will not freeze the account when each of the failed attempts uses the same password. This is to prevent a legitimate client from causing the account to be frozen when the client has simply not yet being updated with a new password. Disable this option if you wish to freeze accounts even when all failed attempts use the same password.

Notify postmaster when max authentication failures reached

Check this box if you wish to send a notification email to the postmaster whenever an account fails the designated number of authentication attempts.

Sources to include in notification: SMTP, POP, IMAP

Use this option to designate the source protocols that will trigger authentication failure notifications: SMTP, POP, or IMAP. If, for example, you don't wish to be notified of SMTP authentication failures, leave the SMTP option unchecked. You would then only receive the authentication failure emails for POP and IMAP failures.

 

Dynamic Screening (WorldClient)

Block IPs that fail this many authentication attempts

Use this option if you wish to temporarily block IP addresses that fail a WorldClient authentication attempt a specified number of times. This can help prevent attempts to "hack" a user account and falsely authenticate a session. This option monitors only WorldClient connections.

Block IPs for this many minutes

When an IP address is automatically blocked, this is the number of minutes the block will last. When the block expires the IP address will be able to connect to you again normally. This feature prevents you from accidentally blocking a valid IP address permanently.

Advanced

Click this button to open the Dynamic Screen's WorldClient block list. This lists all IP addresses that have been blocked from connecting to WorldClient. You can manually add IP addresses and the number of minutes to block them by listing them one entry per line in the form: IP_address<space>Minutes. For example, 192.0.2.0 60.