Spammer login attempts
Question asked by Rabie Ayyach - January 4, 2016 at 1:33 PM
Unanswered
I routinely see messages in the SMTP log that show login attempts on addresses that don't exist on my server. Because these accounts don't exist, the login attempts fail obviously.
 
What can I do to prevent these attempts? So far I've been putting an SMTP block on any IP addresses I see these attempts come from, but could this result in email not getting to my users?

4 Replies

Reply to Thread
0
Anyone?
1
Sounds like you may be the victim of BRUTE FORCE PASSWORD attacks.

We recently picket up a customer in France, who runs SmarterMail, and that was a huge issue for them.

We configured SmarterMail ABUSE DETECTION capabilities, available under SECURITY ===> ADVANCED SETTINGS and that has helped a lot.  After 10 attempts in 5 minutes, the IP address attempting to hack the server is blocked for 45 days (SmarterMail 14.4.5801), or until the SmarterMail service is restarted or the server rebooted:
 
POP Password Brute Force Protection Settings
SMTP Password Brute Force Protection Settings
 
IMAP Password Brute Force Protection Settings
XMPP Password Brute Force Protection Settings
 
We run these same settings on both our SmarterMail server, and the SmarterMail servers of several other clients, and have no issues with blocked e-mail.
 
Versions prior to SmarterMail 14.4.XXXX had some issues, but, if my memory serves me right, SmarterTool's developers tuned the code to not block legitimate accounts and that problem has disappeared.
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Thanks for the info, I have added those Password Brute Force rules.
 
A couple of questions: Should I remove the manual IP blacklist entries I've added based on these attacks?
 
We appear to have a DOS entry for SMTP, added by the previous mail admin. Is this necessary? Should we add an IMAP entry as well, or in place of?
0
I would remove all of the prior blocks and building all of them based on what I entered in my previous posting. 

You should also consider removing any blacklisting, whitelisting and SMTP AUTH BYPASS entries for the domain name and/or IP address.  Removing these entries will allow SmarterMail to automate the process and give you accurate data in the reporting screen.
 
Remember, this may take up to 72 hours to see results.  They will be displayed (listed) under MANAGE ===> CURRENT IDS BLOCKS ===> ALL BLOCKS, by IP ADDRESS, and, depending on the version of SmarterMail you are running, will show:
  • IP Address
  • Location
  • SERVICE Blocked
  • Detection Type
  • Rule Triggering Block
with each of the columns being sortable.
 
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread