Smartermail 15 enterprise version authentication failed attempt

Hello,

I am getting constant authentication failed attack various IP from around the world. My server behind the firewall , I have open port 80, 53, 25 & 143 , Remaining ports all closed, also my remote smartermail server accessed only my office static IP.

In my question why my smartermail getting authentication failed attempt ? How can I prevent such attack ?

Please have look at the logs failed attempt ( Original hostname changed security purpose )

[2016.04.18] 00:14:37 [174.122.18.122][65304849] rsp: 220 hostname
[2016.04.18] 00:14:37 [174.122.18.122][65304849] connected at 4/18/2016 12:14:37 AM
[2016.04.18] 00:14:37 [174.122.18.122][65304849] cmd: EHLO admin
[2016.04.18] 00:14:37 [174.122.18.122][65304849] rsp: 250-ip-ac1f27de.arielcde.com Hello [174.122.18.122]250-SIZE 20971520250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2016.04.18] 00:14:37 [174.122.18.122][65304849] cmd: AUTH LOGIN
[2016.04.18] 00:14:37 [174.122.18.122][65304849] rsp: 334 VXNlcm5hbWU6
[2016.04.18] 00:14:37 [174.122.18.122][65304849] Authenticating as matt
[2016.04.18] 00:14:37 [174.122.18.122][65304849] rsp: 334 UGFzc3dvcmQ6
[2016.04.18] 00:14:38 [174.122.18.122][65304849] rsp: 535 Authentication failed
[2016.04.18] 00:14:38 [174.122.18.122][65304849] cmd: quit
[2016.04.18] 00:14:38 [174.122.18.122][65304849] rsp: 221 Service closing transmission channel
[2016.04.18] 00:14:38 [174.122.18.122][65304849] disconnected at 4/18/2016 12:14:38 AM
[2016.04.18] 00:15:07 [108.175.157.253][25410179] rsp: 220 hostname
[2016.04.18] 00:15:07 [108.175.157.253][25410179] connected at 4/18/2016 12:15:07 AM
[2016.04.18] 00:15:07 [108.175.157.253][25410179] cmd: EHLO admin
[2016.04.18] 00:15:07 [108.175.157.253][25410179] rsp: 250-ip-ac1f27de.arielcde.com Hello [108.175.157.253]250-SIZE 20971520250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2016.04.18] 00:15:08 [108.175.157.253][25410179] cmd: AUTH LOGIN
[2016.04.18] 00:15:08 [108.175.157.253][25410179] rsp: 334 VXNlcm5hbWU6
[2016.04.18] 00:15:08 [108.175.157.253][25410179] Authenticating as skype
[2016.04.18] 00:15:08 [108.175.157.253][25410179] rsp: 334 UGFzc3dvcmQ6
[2016.04.18] 00:15:08 [108.175.157.253][25410179] rsp: 535 Authentication failed
[2016.04.18] 00:15:08 [108.175.157.253][25410179] cmd: quit
[2016.04.18] 00:15:08 [108.175.157.253][25410179] rsp: 221 Service closing transmission channel
[2016.04.18] 00:15:08 [108.175.157.253][25410179] disconnected at 4/18/2016 12:15:08 AM
[2016.04.18] 00:15:08 [108.175.157.253][51877360] rsp: 220 hostname
[2016.04.18] 00:15:08 [108.175.157.253][51877360] connected at 4/18/2016 12:15:08 AM
[2016.04.18] 00:15:08 [108.175.157.253][51877360] cmd: EHLO admin
[2016.04.18] 00:15:08 [108.175.157.253][51877360] rsp: 250-hostname Hello [108.175.157.253]250-SIZE 20971520250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2016.04.18] 00:15:08 [108.175.157.253][51877360] cmd: AUTH LOGIN
[2016.04.18] 00:15:08 [108.175.157.253][51877360] rsp: 334 VXNlcm5hbWU6
[2016.04.18] 00:15:08 [108.175.157.253][51877360] Authenticating as skype
[2016.04.18] 00:15:08 [108.175.157.253][51877360] rsp: 334 UGFzc3dvcmQ6
[2016.04.18] 00:15:08 [108.175.157.253][51877360] rsp: 535 Authentication failed
[2016.04.18] 00:15:08 [108.175.157.253][51877360] cmd: quit

Scarab Replied

4/18/2016 at 1:50 PM

Radhika,

Is the EHLO the same on all of these? If they all have the same EHLO you can block that under SECURITY > ADVANCED SETTINGS > SMTP BLOCKING, rather than using the email address use the "Block Type" of "EHLO Domain" with the EHLO of "admin" in the "Blocked Address" field. Although they will still show in your SMTP Log they will never be able to authenticate as SmarterMail will ignore any SMTP input they provide.

CTL Replied

4/18/2016 at 9:52 PM

I believe its should be automated blocking IP via IDS

Thanks
Binesh

2 Replies

Reply to Thread

Related Knowledge Base Articles

2 Replies

Reply to Thread

Tags

Related Knowledge Base Articles