Security question/issue: Each minute foreign IP address is trying to EHLO, and authentificate my mx.domain.com?!!!
Question asked by dejan dejanovic - January 30, 2017 at 7:25 AM
Answered
I have found under SMTP log events that each minute a foreign ip is trying to authentificate my domain.
Any idea what is happening, and perhaps what can be done? Maybe, like manually blocking the IPs?
 
[2017.01.30] 00:01:28 [91.200.12.150][18058183] rsp: 220 mail.MyDomain.eu
[2017.01.30] 00:01:28 [91.200.12.150][18058183] connected at 30. 01. 2017 00:01:28
[2017.01.30] 00:01:29 [91.200.12.150][18058183] cmd: EHLO User
[2017.01.30] 00:01:29 [91.200.12.150][18058183] rsp: 250-mail.MyDomain.eu Hello [91.200.12.150]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2017.01.30] 00:01:29 [91.200.12.150][18058183] cmd: AUTH LOGIN
[2017.01.30] 00:01:29 [91.200.12.150][18058183] rsp: 334 VXNlcm5hbWU6
[2017.01.30] 00:01:29 [91.200.12.150][18058183] Authenticating as conference
[2017.01.30] 00:01:29 [91.200.12.150][18058183] rsp: 334 UGFzc3dvcmQ6
[2017.01.30] 00:01:29 [91.200.12.150][18058183] rsp: 535 Authentication failed
[2017.01.30] 00:01:29 [91.200.12.150][18058183] disconnected at 30. 01. 2017 00:01:29
[2017.01.30] 00:02:57 [94.102.56.181][17948918] rsp: 220 mail.MyDomain.eu
[2017.01.30] 00:02:57 [94.102.56.181][17948918] connected at 30. 01. 2017 00:02:57
[2017.01.30] 00:02:57 [94.102.56.181][17948918] cmd: EHLO User
[2017.01.30] 00:02:57 [94.102.56.181][17948918] rsp: 250-mail.MyDomain.eu Hello [94.102.56.181]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2017.01.30] 00:02:57 [94.102.56.181][17948918] cmd: RSET
[2017.01.30] 00:02:57 [94.102.56.181][17948918] rsp: 250 OK
[2017.01.30] 00:02:57 [94.102.56.181][17948918] cmd: AUTH LOGIN
[2017.01.30] 00:02:57 [94.102.56.181][17948918] rsp: 334 VXNlcm5hbWU6
[2017.01.30] 00:02:58 [94.102.56.181][17948918] Authenticating as contact(AT)MyDomain.eu
[2017.01.30] 00:02:58 [94.102.56.181][17948918] rsp: 334 UGFzc3dvcmQ6
[2017.01.30] 00:02:58 [94.102.56.181][17948918] rsp: 535 Authentication failed
[2017.01.30] 00:02:58 [94.102.56.181][17948918] cmd: QUIT
[2017.01.30] 00:02:58 [94.102.56.181][17948918] rsp: 221 Service closing transmission channel
[2017.01.30] 00:02:58 [94.102.56.181][17948918] disconnected at 30. 01. 2017 00:02:58
[2017.01.30] 00:08:55 [91.200.12.150][14366600] rsp: 220 mail.MyDomain.eu
[2017.01.30] 00:08:55 [91.200.12.150][14366600] connected at 30. 01. 2017 00:08:55
[2017.01.30] 00:08:55 [91.200.12.150][14366600] cmd: EHLO User
[2017.01.30] 00:08:55 [91.200.12.150][14366600] rsp: 250-mail.MyDomain.eu Hello [91.200.12.150]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2017.01.30] 00:08:55 [91.200.12.150][14366600] cmd: AUTH LOGIN
[2017.01.30] 00:08:55 [91.200.12.150][14366600] rsp: 334 VXNlcm5hbWU6
[2017.01.30] 00:08:55 [91.200.12.150][14366600] Authenticating as webmaster
[2017.01.30] 00:08:55 [91.200.12.150][14366600] rsp: 334 UGFzc3dvcmQ6
[2017.01.30] 00:08:55 [91.200.12.150][14366600] rsp: 535 Authentication failed
[2017.01.30] 00:08:55 [91.200.12.150][14366600] disconnected at 30. 01. 2017 00:08:55
 
dejanc

2 Replies

Reply to Thread
0
Botnets trying to bruteforce your credentials. If they compromise an SMTP accounts, they will likely start sending spam from your server. If you monitor your windows events, you will likely see the same happening on RDP. My server has about 3,000 new distinct IP attempting to brute force my server each month, and growing.
 
I ended up writing a script that monitors IIS logs, smartermail logs and windows events for these connection attempts and block IPs through the firewall. Of course you need to be able to monitor that and unblock your own users. Also make sure you have an IP whitelist if your office has static IPs.
 
Otherwise you can use the smartermail built in bruteforce prevention settings but I suggest you toughen them. To do the same on RDP, you can use a software like RDPGuard. Also worth renaming your admin accounts both on smartermail and windows. Admin and Administrator are the two most commonly attacked logins.
0
Great.Thanks for info, and tips.
dejanc

Reply to Thread