Advanced AI-powered threat detection, IP reputation tracking, anomaly detection, and automated security responses.
Instant notifications for security events via email, webhook, or Slack.
Dynamic scoring system that tracks sender IP behavior over time.
AI-powered detection of compromised accounts based on sending patterns.
Automatic blocking of IPs based on configurable behavior rules.
Email, Webhook, and Slack integration for instant alert delivery.
Daily, weekly, and monthly reports delivered to your inbox.
The Security Intelligence System operates across two main components that work together to protect your mail server.
The Alert System provides real-time notifications for security events, helping you stay informed about potential threats.
| Type | Description | Severity |
|---|---|---|
compromised_account |
Anomaly detected in sender behavior | Critical |
quota_exceeded |
User exceeds sending quota | Critical |
ip_spike |
IP with many rejections detected | Warning |
auto_blacklist |
IP automatically blacklisted | Warning |
rbl_block_spike |
Spike in RBL blocks | Warning |
geo_block_spike |
Spike in geographic blocks | Info |
The IP Reputation system tracks the behavior of sender IPs over time and assigns a dynamic score that determines how emails are processed.
| Event | Score Change | Effect |
|---|---|---|
| Email Accepted | +1 | IP gains trust |
| Email Rejected | -5 | IP loses trust significantly |
| Email Deferred | -2 | IP loses some trust |
| Inactivity Recovery | +5 | Inactive IPs gradually recover reputation |
When an IP has a low reputation score and becomes inactive (stops sending emails), the system automatically helps it recover:
1. Every 6 hours, the Recovery worker checks for IPs that haven't sent emails in the configured Decay Days period (default: 7 days).
2. Those inactive IPs receive +5 points (configurable via Decay Amount) per cycle, gradually improving their score.
3. This ensures that IPs that were temporarily bad (e.g., compromised then fixed) can eventually return to normal status.
Example: An IP blocked at score 5 will recover to 50+ after approximately 2 weeks of inactivity (receiving +5 points every 6 hours once the Decay Days threshold is met).
Block Threshold: Default is 10. IPs with score ≤ 10 are automatically blocked. Set to 0 or negative values to disable blocking.
Score Range: 0-100 (MinScore=0, MaxScore=100). New IPs start at 50 (InitialScore).
Skip Greylist Threshold: Default is 80. IPs with score ≥ 80 skip greylisting.
The Anomaly Detection system identifies potentially compromised email accounts by analyzing sending patterns and comparing them to established baselines.
The Anomaly Detection module has two separate toggles that control its behavior:
When Enabled: The system actively monitors all outbound emails for anomalies, comparing sending patterns against learned baselines.
When Disabled: The module is completely off - no monitoring, no detection, no alerts.
When Enabled: Detected anomalies result in automatic blocking of the sender.
When Disabled: Anomalies are detected and logged (alerts created), but senders are NOT automatically blocked.
| Module Enabled | Auto-Block | Behavior |
|---|---|---|
| ON | ON | Full protection - detects anomalies AND automatically blocks senders |
| ON | OFF | Monitor mode - detects and logs anomalies, creates alerts, but does NOT block |
| OFF | N/A | Module disabled - no monitoring, no detection, no alerts |
New installations: Start with Module Enabled and Auto-Block Disabled to monitor your email patterns for a few weeks before enabling automatic blocking.
Production systems: Once you've verified the detection accuracy, enable Auto-Block for automatic protection.
| Metric | Default | Triggers When |
|---|---|---|
| Volume Multiplier | 5x |
Sender sends 5x more emails than their average |
| New Recipients Threshold | 50 |
Sender emails 50+ never-before-seen recipients |
| Min Baseline Days | 7 |
Minimum days of history needed before detection activates |
New senders need at least 7 days of baseline data before anomaly detection activates for them. During this period, their behavior is recorded but not flagged as anomalous.
The Auto-Blacklist system automatically blocks IPs that exhibit malicious behavior patterns, based on configurable rules.
| Rule | Trigger | Block Duration |
|---|---|---|
| High Rejection Rate | 10+ rejections in 1 hour | 24 hours |
| Auth Failures | 5+ failed auth attempts in 30 min | 6 hours |
| Spam Score | 5+ high spam score emails in 1 hour | 24 hours |
Auto-blacklisted IPs can be:
Configure how you want to receive security alerts. Multiple channels can be active simultaneously.
| Channel | Configuration | Best For |
|---|---|---|
| SMTP server, recipients list | Audit trail, compliance | |
| Webhook | HTTP endpoint URL | Integration with external systems |
| Slack | Webhook URL | Team collaboration, real-time alerts |
Understanding which settings can be modified from the dashboard and which are system defaults.
| Setting | Default | Configurable | Description |
|---|---|---|---|
| Module Enabled | true |
Yes | Enable/disable the IP Reputation module |
| Block Threshold | 10 |
Read-only | IPs with score ≤ this value are blocked |
| Skip Greylist Threshold | 80 |
Read-only | IPs with score ≥ this value skip greylisting |
| Decay Amount | 5 |
Read-only | Points recovered per decay cycle |
| Decay Days | 7 |
Read-only | Days of inactivity before reputation recovers |
| Setting | Default | Configurable | Description |
|---|---|---|---|
| Module Enabled | true |
Yes | Enable/disable anomaly detection |
| Auto-Block | false |
Yes | Automatically block detected anomalies |
| Volume Multiplier | 5.0x |
Read-only | Trigger when sending Nx more emails than average |
| New Recipients Threshold | 50 |
Read-only | Trigger when emailing N+ new recipients |
| Min Baseline Days | 7 |
Read-only | Days of history needed before detection activates |
Parameters marked as Read-only are displayed in the dashboard for informational purposes but cannot be modified from the web interface. These values are optimized for most environments and can only be changed by modifying the database directly or via API.
Enabled but Auto-Block DisabledAccess the Intelligence Dashboard at /intelligence in the SecZim web interface to view all security metrics, active alerts, and system status.
SecZim Security Intelligence System v3.0.0 | Documentation last updated: December 2024