[BlueOnyx:11869] Whitelist IPs in Failed logins?

Wed Dec 26 17:44:50 -05 2012

We are transitioning from BO to Exchange. As we transition we are using 
a tool called popcon to run the two servers in parallel as we slowly 
migrate our users. We still have about 30 days to go before we are 
totally off, and have a REALLY bad issue.

a while back we were seeing host blocks occuring even if they are well 
within the threshold of failures per hour so we disabled both user and 
host blocking. The problem went away.

Today I noticed that we are under some sort of user dictionary attack 
(trying a list of user first names in alpha order... bill@, bob@, Burt@, 
Cassie@, Catie@,Doug@, etc) from a web host with a not so  great 
reputation... Webexxpurts.com. Seeing from comments on the web that they 
dont even accept abuse reports from others abused by their servers, I 
didnt bother reporting and tried blocking at my firewall. No immediate 
joy (and Im not sure why).

As soon as I turned on my host block at a respectable 50/1h and all 
attempts from that Webexxpress ip were blocked. However I started seeing 
SOME of my internal pop logins fail WELL below the threshhold... The gui 
shows <20 fails, and status of green, but still some logins are failing. 
As soon as I turn off the host block, or reset the host blocks, I can 
see in the maillog the server starts allowing the previously blocked 
logins again. (so I know its not bad password issues on the client or 
mailbox) And as far as I can tell, its not ALL of the mailboxes that are 
failing... only certain ones... but they are ALL behind the same public 
IP. Blocked users screen is empty.

Now that I think about it, I got the alert that things were getting 
blocked BEFORE I turned on the host blocking today. Going into the 
maillog is where I first noticed the attack. But turning it on and back 
off fixed the original  pop login problem. Its almost like its a related 
problem that is corrected (coincidentally) by cycling the PAM ABL.

Is there a way to whitelist my internal IP(s) so that I can block the 
world but not my Popcon server? Or do we think its a separate issue 
since the blocks are happening below the threshhold?