Too many failed authentication
Question asked by Linda Collins - July 12, 2016 at 9:09 AM
Unanswered
I receive hundreds of failed authentications per day on one email address.
Every one seems to come from a different IP. This example shows 162.252.129.23.
Is there a way to reject these emails. Maybe limit the number of failed authentications.
Or perhaps allow only whitelisted IPs to send mail from a specified user.
I have put a limit of 5 outgoing messages an hour for that user, but that gets eaten up by the spammers quickly, then the user can't send any legit emails. Any suggestions on how to deal with this problem?
Here is an example
08:34:53 [162.252.129.23][34836979] rsp: 220 mail.myemail.com
08:34:53 [162.252.129.23][34836979] connected at 7/12/2016 8:34:53 AM
08:34:54 [162.252.129.23][34836979] cmd: EHLO mcew.com
08:34:54 [162.252.129.23][34836979] rsp: 250-mail.myemail.com Hello [162.252.129.23]250-SIZE250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
08:34:54 [162.252.129.23][34836979] cmd: AUTH LOGIN
08:34:54 [162.252.129.23][34836979] rsp: 334 VXNlcm5hbWU6
08:34:54 [162.252.129.23][34836979] Authenticating as linda@example.com
08:34:54 [162.252.129.23][34836979] rsp: 334 UGFzc3dvcmQ6
08:34:54 [162.252.129.23][34836979] rsp: 535 Authentication failed
08:34:55 [162.252.129.23][34836979] disconnected at 7/12/2016 8:34:55 AM

3 Replies

Reply to Thread
0
Matthew Leyda Replied
Linda,
Take a look at Abuse Detection.
Go to Security > Advanced Settings > Abuse Detection
Setup a "Password Brute Force by Protocol " rule.
Here a screen shot of the setting we use.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Linda Collins Replied
It will not work, in this case, since every abuse has a different originating IP address.
0
Matthew Leyda Replied
Linda,
You can change the "Failures Before Block" to a lower number. I'd do a SMTP log search on "rsp: 535 Authentication failed" and see what a good number would be.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP

Reply to Thread