How do you find out the account/s involved in Brute Force password events
Question asked by Antony - 3/6/2015 at 8:32 AM
When you have the Abuse detection events configured how can you find out which domains/ users were involved?
The logs seem to record the events and also search by IP records the connection/ disconnection but I cannot find out how to ascertain the user account being attacked.
Is this possible?

2 Replies

Reply to Thread
Bruce Barnes Replied
Make certain your SMTP logs are set to detailed. Check the SMTP logs.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
Scarab Replied
If your logs are set to "Detailed" you can use the search string of "rsp: 535 Authentication failed". Be sure to enable "Display related traffic" 

Reply to Thread