Back to Community Threads
1
Security question/issue: Each minute foreign IP address is trying to EHLO, and authentificate my mx.domain.com?!!!
Question asked by dejan dejanovic - 1/30/2017 at 7:25 AM
Answered
I have found under SMTP log events that each minute a foreign ip is trying to authentificate my domain.
Any idea what is happening, and perhaps what can be done? Maybe, like manually blocking the IPs?
 
[2017.01.30] 00:01:28 [91.200.12.150][18058183] rsp: 220 mail.MyDomain.eu
[2017.01.30] 00:01:28 [91.200.12.150][18058183] connected at 30. 01. 2017 00:01:28
[2017.01.30] 00:01:29 [91.200.12.150][18058183] cmd: EHLO User
[2017.01.30] 00:01:29 [91.200.12.150][18058183] rsp: 250-mail.MyDomain.eu Hello [91.200.12.150]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2017.01.30] 00:01:29 [91.200.12.150][18058183] cmd: AUTH LOGIN
[2017.01.30] 00:01:29 [91.200.12.150][18058183] rsp: 334 VXNlcm5hbWU6
[2017.01.30] 00:01:29 [91.200.12.150][18058183] Authenticating as conference
[2017.01.30] 00:01:29 [91.200.12.150][18058183] rsp: 334 UGFzc3dvcmQ6
[2017.01.30] 00:01:29 [91.200.12.150][18058183] rsp: 535 Authentication failed
[2017.01.30] 00:01:29 [91.200.12.150][18058183] disconnected at 30. 01. 2017 00:01:29
[2017.01.30] 00:02:57 [94.102.56.181][17948918] rsp: 220 mail.MyDomain.eu
[2017.01.30] 00:02:57 [94.102.56.181][17948918] connected at 30. 01. 2017 00:02:57
[2017.01.30] 00:02:57 [94.102.56.181][17948918] cmd: EHLO User
[2017.01.30] 00:02:57 [94.102.56.181][17948918] rsp: 250-mail.MyDomain.eu Hello [94.102.56.181]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2017.01.30] 00:02:57 [94.102.56.181][17948918] cmd: RSET
[2017.01.30] 00:02:57 [94.102.56.181][17948918] rsp: 250 OK
[2017.01.30] 00:02:57 [94.102.56.181][17948918] cmd: AUTH LOGIN
[2017.01.30] 00:02:57 [94.102.56.181][17948918] rsp: 334 VXNlcm5hbWU6
[2017.01.30] 00:02:58 [94.102.56.181][17948918] Authenticating as contact(AT)MyDomain.eu
[2017.01.30] 00:02:58 [94.102.56.181][17948918] rsp: 334 UGFzc3dvcmQ6
[2017.01.30] 00:02:58 [94.102.56.181][17948918] rsp: 535 Authentication failed
[2017.01.30] 00:02:58 [94.102.56.181][17948918] cmd: QUIT
[2017.01.30] 00:02:58 [94.102.56.181][17948918] rsp: 221 Service closing transmission channel
[2017.01.30] 00:02:58 [94.102.56.181][17948918] disconnected at 30. 01. 2017 00:02:58
[2017.01.30] 00:08:55 [91.200.12.150][14366600] rsp: 220 mail.MyDomain.eu
[2017.01.30] 00:08:55 [91.200.12.150][14366600] connected at 30. 01. 2017 00:08:55
[2017.01.30] 00:08:55 [91.200.12.150][14366600] cmd: EHLO User
[2017.01.30] 00:08:55 [91.200.12.150][14366600] rsp: 250-mail.MyDomain.eu Hello [91.200.12.150]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2017.01.30] 00:08:55 [91.200.12.150][14366600] cmd: AUTH LOGIN
[2017.01.30] 00:08:55 [91.200.12.150][14366600] rsp: 334 VXNlcm5hbWU6
[2017.01.30] 00:08:55 [91.200.12.150][14366600] Authenticating as webmaster
[2017.01.30] 00:08:55 [91.200.12.150][14366600] rsp: 334 UGFzc3dvcmQ6
[2017.01.30] 00:08:55 [91.200.12.150][14366600] rsp: 535 Authentication failed
[2017.01.30] 00:08:55 [91.200.12.150][14366600] disconnected at 30. 01. 2017 00:08:55
 

2 Replies

Reply to Thread
0
Charles Michel Replied
1/31/2017 at 1:34 AM
Marked As Answer
Botnets trying to bruteforce your credentials. If they compromise an SMTP accounts, they will likely start sending spam from your server. If you monitor your windows events, you will likely see the same happening on RDP. My server has about 3,000 new distinct IP attempting to brute force my server each month, and growing.
 
I ended up writing a script that monitors IIS logs, smartermail logs and windows events for these connection attempts and block IPs through the firewall. Of course you need to be able to monitor that and unblock your own users. Also make sure you have an IP whitelist if your office has static IPs.
 
Otherwise you can use the smartermail built in bruteforce prevention settings but I suggest you toughen them. To do the same on RDP, you can use a software like RDPGuard. Also worth renaming your admin accounts both on smartermail and windows. Admin and Administrator are the two most commonly attacked logins.
0
dejan dejanovic Replied
1/31/2017 at 12:22 PM
Great.Thanks for info, and tips.
dejanc
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Slow 250 response after Mail From command is issued during an SMTP session.SmarterMail > Troubleshooting
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Set Up a MAPI Account in Outlook 2016 and Above for WindowsSmarterMail > Desktop and Mobile Synchronization
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management