1
getting Smtp authentication failed error
Problem reported by Syed Noman - May 16, 2016 at 10:08 PM
Submitted
I am continuously getting following messages in smtp logs and getting IP listed pls assist.
 
09:13:59 [43.245.8.144][29276824] rsp: 535 Authentication failed 
09:14:01 [43.245.8.144][65946726] rsp: 535 Authentication failed 
09:14:03 [43.245.8.144][9573966] rsp: 535 Authentication failed 
09:14:13 [43.245.8.144][81010] rsp: 535 Authentication failed 
09:14:15 [43.245.8.144][13366701] rsp: 535 Authentication failed 
09:14:17 [43.245.8.144][58022112] rsp: 535 Authentication failed 
09:14:25 [43.245.8.144][43569430] rsp: 535 Authentication failed 
09:14:27 [43.245.8.144][8307625] rsp: 535 Authentication failed 
09:14:29 [43.245.8.144][28580971] rsp: 535 Authentication failed 
09:18:54 [91.197.232.50][33621087] rsp: 535 Authentication failed 
09:29:45 [43.245.8.144][22526009] rsp: 535 Authentication failed 
09:29:47 [43.245.8.144][39938672] rsp: 535 Authentication failed 
09:29:49 [43.245.8.144][62195638] rsp: 535 Authentication failed 
09:33:47 [91.197.232.50][16683150] rsp: 535 Authentication failed 
09:44:22 [103.228.156.108][34860886] rsp: 535 Authentication failed 
09:45:13 [43.245.8.144][9097836] rsp: 535 Authentication failed 
09:46:03 [43.245.8.144][44335349] rsp: 535 Authentication failed 
09:46:04 [43.245.8.144][31397231] rsp: 535 Authentication failed 
09:48:41 [91.197.232.50][49742466] rsp: 535 Authentication failed 
____________________________________________
 
LOGIN CRAM-MD5 250 OK 
09:48:40 [91.197.232.50][49742466] cmd: RSET
09:48:40 [91.197.232.50][49742466] rsp: 250 OK 
09:48:41 [91.197.232.50][49742466] cmd: AUTH LOGIN
09:48:41 [91.197.232.50][49742466] rsp: 334 VXNlcm5hbWU6 
09:48:41 [91.197.232.50][49742466] rsp: 334 UGFzc3dvcmQ6 
09:48:41 [91.197.232.50][49742466] rsp: 535 Authentication failed 
09:48:41 [91.197.232.50][49742466] cmd: QUIT
09:48:41 [91.197.232.50][49742466] rsp: 221 Service closing transmission channel 
09:48:41 [91.197.232.50][49742466] disconnected at 5/17/2016 9:48:41 AM
09:51:06 [43.245.8.144][31397231] rsp: 421 Command timeout, closing transmission channel 
09:51:06 [43.245.8.144][31397231] disconnected at 5/17/2016 9:51:06 AM
 

4 Replies

Reply to Thread
0
Matthew Leyda Replied
May 17, 2016 at 6:53 AM
Take a look at you logs and see if the EHLO is "EHLO ylmf-pc" If it is use the SMTP blocking rule to limit its access.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
1
Matthew Leyda Replied
May 17, 2016 at 8:24 AM
Log in as the System Admin
Go to Security > SMTP Blocking the Click on NEW and select Block Type "EHLO Domain", Enter ylmf-pc in Blocked Address, Description can be anything you want. Then Save it and you are done.
 
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Syed Noman Replied
May 23, 2016 at 10:35 PM
anyone???
1
Scarab Replied
May 24, 2016 at 11:25 AM
Syed,

These are distributed Brute-Force Attempts from a botnet (YLMF-PC) to send via SMTP Authentication. As your version of SmarterMail (8.x) does not have the ability to block SMTP connections by their EHLO then the only options you have are as follows:

A.) Simply ignore these connections. If you are enforcing strong passwords for your users it is highly unlikely they will ever successfully connect. Everything is working as it should.
 
B.) Configure your Abuse Detection for SMTP to be more strict. You can do this under SECURITY > ADVANCED SETTINGS > ABUSE DETECTION and modify your Password Brute Force By Protocol rule as follows:
 
Detection Type: Password Brute Force by Protocol
Service: SMTP
Time Frame: 1440 Minutes
Failures Before Block: 3
Time to Block: 43200 Minutes
Description: SMTP Brute Force

Eventually IP Addresses in the YLMF-PC botnet will begin to get blocked.

Note that customers may begin to get their Outgoing SMTP blocked by the same Abuse Detection rule as if they put in a wrong password in their email client (like when they get a new phone) their email client will probably trigger the same Abuse Detection rule within 15-45 minutes.

Reply to Thread