How do you find out the account/s involved in Brute Force password events
Question asked by Antony - 3/6/2015 at 8:32 AM
Unanswered
When you have the Abuse detection events configured how can you find out which domains/ users were involved?
The logs seem to record the events and also search by IP records the connection/ disconnection but I cannot find out how to ascertain the user account being attacked.
Is this possible?
Bruce Barnes Replied
Make certain your SMTP logs are set to detailed. Check the SMTP logs.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
Scarab Replied
If your logs are set to "Detailed" you can use the search string of "rsp: 535 Authentication failed". Be sure to enable "Display related traffic" 

Reply to Thread

Enter the verification text