Splitting port 25 from port 587 log traffic
Idea shared by Ben Conner - June 3 at 8:33 PM
Proposed
Hi,

I do a fair amount of post-daily analysis of the SM log files looking for spammer activity and behavior.  One of the things that I continue to have to account for is the fact that the SMTP log file has both authenticated and non-authenticated SMTP activity mixed together.  In my view these are two completely different audiences whose behavior should be tracked differently and have different log files.

Example: non-authenticated traffic from a given IP address should have a static EHLO argument from one connection to the next.  I've seen instances of a single IP address showing a different EHLO argument every time they drop off mail in a single day.  None were legitimate.

That same behavior is not uncommon with authenticated traffic.  FWIW, this would only work if authenticated users don't (or can't) authenticate on port 25, which is a separate feature that would be very handy.  I don't want users to use port 25 to authenticate.  As it is now, I can't even tell which port they came in on: 25 or 587.

Does anyone else see this as a useful feature enhancement?

Thanks!

--Ben

1 Reply

Reply to Thread
1
We also think a separate log for submission (587) port and "between servers" port 25 would have been very useful.

We also don't want user to be able to authenticate on port 25 and have them only use port 587. Also it seems port 25 allows authentication without starting a TLS session first which is really bad.

On our side, and as we are using an incoming SMTP filtering gateway (e.f.a), our workaround for this was to redirect all port 25 traffic originally directed to our SmarterMail to our SMTP incoming gateway.

So port 25 of SmarterMail is never reached from outside, but only from our filtering gateway for forwarding traffic to SmarterMail after spam analysis.

Then our logs for port 25 is on the mail filtering gateway and for 587 in SmarterMail's SMTP log.






Reply to Thread