Back to Community Threads
1
getting Smtp authentication failed error
Problem reported by Syed Noman - 5/16/2016 at 10:08 PM
Submitted
I am continuously getting following messages in smtp logs and getting IP listed pls assist.
 
09:13:59 [43.245.8.144][29276824] rsp: 535 Authentication failed 
09:14:01 [43.245.8.144][65946726] rsp: 535 Authentication failed 
09:14:03 [43.245.8.144][9573966] rsp: 535 Authentication failed 
09:14:13 [43.245.8.144][81010] rsp: 535 Authentication failed 
09:14:15 [43.245.8.144][13366701] rsp: 535 Authentication failed 
09:14:17 [43.245.8.144][58022112] rsp: 535 Authentication failed 
09:14:25 [43.245.8.144][43569430] rsp: 535 Authentication failed 
09:14:27 [43.245.8.144][8307625] rsp: 535 Authentication failed 
09:14:29 [43.245.8.144][28580971] rsp: 535 Authentication failed 
09:18:54 [91.197.232.50][33621087] rsp: 535 Authentication failed 
09:29:45 [43.245.8.144][22526009] rsp: 535 Authentication failed 
09:29:47 [43.245.8.144][39938672] rsp: 535 Authentication failed 
09:29:49 [43.245.8.144][62195638] rsp: 535 Authentication failed 
09:33:47 [91.197.232.50][16683150] rsp: 535 Authentication failed 
09:44:22 [103.228.156.108][34860886] rsp: 535 Authentication failed 
09:45:13 [43.245.8.144][9097836] rsp: 535 Authentication failed 
09:46:03 [43.245.8.144][44335349] rsp: 535 Authentication failed 
09:46:04 [43.245.8.144][31397231] rsp: 535 Authentication failed 
09:48:41 [91.197.232.50][49742466] rsp: 535 Authentication failed 
____________________________________________
 
LOGIN CRAM-MD5 250 OK 
09:48:40 [91.197.232.50][49742466] cmd: RSET
09:48:40 [91.197.232.50][49742466] rsp: 250 OK 
09:48:41 [91.197.232.50][49742466] cmd: AUTH LOGIN
09:48:41 [91.197.232.50][49742466] rsp: 334 VXNlcm5hbWU6 
09:48:41 [91.197.232.50][49742466] rsp: 334 UGFzc3dvcmQ6 
09:48:41 [91.197.232.50][49742466] rsp: 535 Authentication failed 
09:48:41 [91.197.232.50][49742466] cmd: QUIT
09:48:41 [91.197.232.50][49742466] rsp: 221 Service closing transmission channel 
09:48:41 [91.197.232.50][49742466] disconnected at 5/17/2016 9:48:41 AM
09:51:06 [43.245.8.144][31397231] rsp: 421 Command timeout, closing transmission channel 
09:51:06 [43.245.8.144][31397231] disconnected at 5/17/2016 9:51:06 AM
 

7 Replies

Reply to Thread
0
Syed Noman Replied
5/17/2016 at 2:02 AM
anyone????
0
Matthew Leyda Replied
5/17/2016 at 6:53 AM
Take a look at you logs and see if the EHLO is "EHLO ylmf-pc" If it is use the SMTP blocking rule to limit its access.
Kendra Support http://www.kendra.com support@kendra.com 425-397-7911 Junk Email filtered ISP
0
Syed Noman Replied
5/17/2016 at 7:57 AM
here it is but how do i block it pls elaborate Thanks

07:47:04 [197.231.192.62][66919257] cmd: EHLO ylmf-pc
07:47:06 [197.231.192.62][848921] cmd: EHLO ylmf-pc
14:28:24 [31.168.198.79][47554332] cmd: EHLO ylmf-pc
14:28:37 [31.168.198.79][31633799] cmd: EHLO ylmf-pc
14:28:40 [31.168.198.79][33850244] cmd: EHLO ylmf-pc
14:28:42 [31.168.198.79][50289595] cmd: EHLO ylmf-pc
17:23:09 [181.198.73.211][29031111] cmd: EHLO ylmf-pc
17:23:23 [181.198.73.211][25584095] cmd: EHLO ylmf-pc
17:23:26 [181.198.73.211][3899566] cmd: EHLO ylmf-pc
1
Matthew Leyda Replied
5/17/2016 at 8:24 AM
Log in as the System Admin
Go to Security > SMTP Blocking the Click on NEW and select Block Type "EHLO Domain", Enter ylmf-pc in Blocked Address, Description can be anything you want. Then Save it and you are done.
 
Kendra Support http://www.kendra.com support@kendra.com 425-397-7911 Junk Email filtered ISP
0
Syed Noman Replied
5/17/2016 at 9:42 PM
Dear thanks for the help but i have smartermail 8.x don't have this option.
0
Syed Noman Replied
5/23/2016 at 10:35 PM
anyone???
1
Scarab Replied
5/24/2016 at 11:25 AM
Syed,

These are distributed Brute-Force Attempts from a botnet (YLMF-PC) to send via SMTP Authentication. As your version of SmarterMail (8.x) does not have the ability to block SMTP connections by their EHLO then the only options you have are as follows:

A.) Simply ignore these connections. If you are enforcing strong passwords for your users it is highly unlikely they will ever successfully connect. Everything is working as it should.
 
B.) Configure your Abuse Detection for SMTP to be more strict. You can do this under SECURITY > ADVANCED SETTINGS > ABUSE DETECTION and modify your Password Brute Force By Protocol rule as follows:
 
Detection Type: Password Brute Force by Protocol
Service: SMTP
Time Frame: 1440 Minutes
Failures Before Block: 3
Time to Block: 43200 Minutes
Description: SMTP Brute Force

Eventually IP Addresses in the YLMF-PC botnet will begin to get blocked.

Note that customers may begin to get their Outgoing SMTP blocked by the same Abuse Detection rule as if they put in a wrong password in their email client (like when they get a new phone) their email client will probably trigger the same Abuse Detection rule within 15-45 minutes.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

"550 Authentication is Required for Relay" when Sending EmailSmarterMail > Troubleshooting
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
eM Client Fails to Connect to IMAPSmarterMail > Troubleshooting
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Cannot Send Email MessagesSmarterMail > Troubleshooting