In the most recent version serv-u, you can have emails sent based on specific events that are triggered. And within the events you can have filters using values and operators. This works extremely well. However, there is a situation that arises when attackers use an automated dictionary attack that floods the destination server and generates thousands of emails within minutes.
How blocking works in serv-u.
In the global and domain level settings you set to block an ip address that connects a certain number of times within a certain time period for a determined amount of time. If you want to be alerted to an ip address that has been blocked for hammering you setup the appropriate event to distribute the email. This works as designed. However, the emailed alerts behave differently depending on the type of attack.
For instance, the same user connecting 100 times within 5 minutes generates a single denied ip alert email.
However, a dictionary attack where a different user is used for each connection will generate an email per user per connection. If the dictionary list has a thousand users and the attackers bandwidth is plentiful that translates to a thousand emails within a few minutes.
The solution would be to code some sort of alert flood control. I am not aware of such a mechanism in serv-u. I am asking the community or trolling solarwinds support representatives if there is a solution/workaround.
Regards,
JD