Using the Dynamic Screening feature, SecurityGateway can track the behavior of sending servers to identify suspicious activity and then respond accordingly. For example, with Dynamic Screening you can ban an IP address from future connections to your server once a specified number of "unknown recipient" errors occur during a mail session with that IP address. You can ban senders that connect to your server more than a specified number of times in a specified number of minutes, and you can also ban senders that fail authentication attempts more than a designated number of times. However, a Dynamic Screening ban is not permanent. The IP address is banned only for the number of minutes that you specify on this page, and each IP address and the amount of time that has passed since its ban is listed in the Blocked IP List at the bottom of the page.
Automatic IP Screening
Enable Dynamic Screening
Click this option to activate the Dynamic Screening feature. Dynamic Screening is disabled by default.
Ban senders who cause this many failed RCPT attempts:
When Dynamic Screening is enabled, an IP address will be temporarily banned when a designated number of RCPT attempts from it fail during an SMTP session. It is a common tactic of spammers to send many RCPT commands, many of which will be invalid addresses. The default value for this option is 10.
Ban senders that connect more than [xx] times in [xx] minutes
This option designates how many times someone is allowed to connect to SecurityGateway in a given number of minutes. If they exceed that number of connections in the specified time then they will be temporarily banned. This option is disabled by default.
Ban senders that fail this many authentication attempts:
This is the number of times that a sender may fail to authenticate before being temporarily banned. Someone using an incorrect password is an example of something that would cause a failed authentication attempt. By default, if a sender fails to authenticate 3 times their IP address will be temporarily banned. Clear this checkbox if you do not wish to ban these senders, regardless of the number of failed attempts.
Ban senders for this many minutes:
This is the number of minutes that an IP address will be banned when it violates one of the restrictions above. The default length of time that an IP address will be banned is 10 minutes.
Close SMTP session after banning sender
When an IP address is banned, by default the SMTP session will be closed immediately. In other words, the session will not be allowed to continue through any further steps in the normal SMTP protocol; the connection will be cut. Clear this checkbox if you do not wish to immediately end the connection with a banned IP address.
Exclusions
Exclude messages from allowlisted IP addresses and hosts
By default, all allowlisted IP addresses and hosts are exempt from the Dynamic Screening restrictions. Clear this checkbox if you wish to require even allowlisted IPs and hosts to adhere to these restrictions.
Exclude messages from authenticated sessions
When an incoming message is being sent over an authenticated session, it will be exempt from the Dynamic Screening restrictions by default. Uncheck this box if you wish to apply the restrictions to authenticated sessions as well.
Exclude messages from domain mail servers
Messages coming from one of your domain mail servers are exempt from Dynamic Screening by default. Clear this checkbox if you do not wish to exclude domain mail servers from Dynamic Screening restrictions.
Blocked IP List
This area lists all currently banned IP addresses and the amount of time that has passed since each was banned. You can remove an entry from the list by selecting it and clicking the delete button on the toolbar above the list.
