Anomaly Detection
- Allows you to receive alerts when KoruMail detects a user/email address has sent messages from multiple IP addresses within a set time interval.
- You can choose to block these users if the outgoing mail IP addresses exceed the number set in this tab.
- This value can not be '0', therefore administrators are expected to set a value between 1 and 10,000 to block users, IP addresses or SMTP Auth requests.
To open the 'Anomaly Detection' screen,
- Click 'SMTP' > 'SMTP-AUTH' on the left menu
- Open the 'Anomaly Detection' tab.
|
Anomaly Detection Settings – Table of Parameters |
|
|---|---|
|
Parameter |
Description |
|
Enable Anomaly Detection |
Enables anomaly detection with the parameters listed directly below this setting. |
|
Enable monitoring mode |
If enabled, the SMTP-AUTH controller monitors authorization requests from the specified IP addresses. |
|
Interval (min) |
The auditing time period for anomaly detection. To use the default settings as an example, a user will be blocked if detected IP addresses exceed 100 in any 30 minute period. Administrators will receive an alert if more than 30 IPs are detected in 30 minutes. |
|
Number of failed SMTP-AUTH requests from a same IP to block that IP |
Number of failed SMTP-AUTH requests from a particular IP before it is rejected. |
|
Number of users from the same IP that makes failed SMTP-AUTH requests |
The minimum number of users with same IP address that can make failed SMTP-AUTH requests. Any request beyond the threshold set will not be processed. |
|
Number of different IP addresses that makes successful SMTP-AUTH requests with same username |
The minimum number of different IP addresses that can make successful SMTP-AUTH requests with the same username. Any request beyond the threshold set will not be processed. |
- Click the 'Save' button to apply your changes.