I also have this problem. Spam filters these days do not let us specify user’s email in the From field of emails generated by web-forms, so using Reply-to header is a must. Unfortunately, OroCRM does not even *show* Reply-to address in the email view, let alone correctly categorizing the message and sending reply to correct address.
Noticed another problem that may or may not be related: only inside the table on “My Emails” page all emails from Sent folder are shown with date of “Jan 3, 1” (that is: January 3, 2001). Correct date is shown if I click on an email, also under Activity on My User page.
We are yet to develop the logging of login attempts, however we keep this feature in our roadmap since we last addressed security features in our 2.0 release. There is no specific implementation timeline yet though.
Thank you for the information. I’ll look into implementing this log and possibly sending a mr once I have time.
To address your last point: Our aforementioned 2.0 EE release included a feature that automatically deactivates a user account after a certain number of unsuccessful login attempts, specifically to counter brute force attacks.
(Sorry for changing subject, but) I’d advise blacklisting remote addresses instead. Otherwise once login name appears in bots’ lists it becomes effectively unusable though user did nothing wrong.