3
Spammer login attempts
Question asked by Rabie Ayyach - 1/4/2016 at 1:33 PM
Unanswered
I routinely see messages in the SMTP log that show login attempts on addresses that don't exist on my server. Because these accounts don't exist, the login attempts fail obviously.
 
What can I do to prevent these attempts? So far I've been putting an SMTP block on any IP addresses I see these attempts come from, but could this result in email not getting to my users?

4 Replies

Reply to Thread
0
Rabie Ayyach Replied
Anyone?
1
Bruce Barnes Replied
Sounds like you may be the victim of BRUTE FORCE PASSWORD attacks.

We recently picket up a customer in France, who runs SmarterMail, and that was a huge issue for them.

We configured SmarterMail ABUSE DETECTION capabilities, available under SECURITY ===> ADVANCED SETTINGS and that has helped a lot.  After 10 attempts in 5 minutes, the IP address attempting to hack the server is blocked for 45 days (SmarterMail 14.4.5801), or until the SmarterMail service is restarted or the server rebooted:
 
POP Password Brute Force Protection Settings
SMTP Password Brute Force Protection Settings
 
IMAP Password Brute Force Protection Settings
XMPP Password Brute Force Protection Settings
 
We run these same settings on both our SmarterMail server, and the SmarterMail servers of several other clients, and have no issues with blocked e-mail.
 
Versions prior to SmarterMail 14.4.XXXX had some issues, but, if my memory serves me right, SmarterTool's developers tuned the code to not block legitimate accounts and that problem has disappeared.
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Rabie Ayyach Replied
Thanks for the info, I have added those Password Brute Force rules.
 
A couple of questions: Should I remove the manual IP blacklist entries I've added based on these attacks?
 
We appear to have a DOS entry for SMTP, added by the previous mail admin. Is this necessary? Should we add an IMAP entry as well, or in place of?
0
Bruce Barnes Replied
I would remove all of the prior blocks and building all of them based on what I entered in my previous posting. 

You should also consider removing any blacklisting, whitelisting and SMTP AUTH BYPASS entries for the domain name and/or IP address.  Removing these entries will allow SmarterMail to automate the process and give you accurate data in the reporting screen.
 
Remember, this may take up to 72 hours to see results.  They will be displayed (listed) under MANAGE ===> CURRENT IDS BLOCKS ===> ALL BLOCKS, by IP ADDRESS, and, depending on the version of SmarterMail you are running, will show:
  • IP Address
  • Location
  • SERVICE Blocked
  • Detection Type
  • Rule Triggering Block
with each of the columns being sortable.
 
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread