Failed SMTP Login Report
Idea shared by Robert Hirabayashi - 8/15/2019 at 7:43 AM
Proposed
Hello!

I put together a couple of batch files that email a report to me at the end of each day that list out the failed SMTP logins, one for internal failures and one for external failures.

A quick disclaimer: If you're not sure what to do with the data below, you shouldn't use this in a production environment. While I've been using these files for months now, I offer no warranty and no guarantee of support or workability. 

In other words, if you use this and it breaks something, you will have to figure out what broke and fix it. It's not my fault, and by using this data, you agree that this is the case.

All that being said, I'm posting this here as a courtesy to the SmarterMail community. If you have a question, comment or improvements to offer, I'd be happy to reply or update this code as needed, but don't expect a fast reply.

There are two external programs you will need in order for this to work.

The first is JSORT.BAT version 4.2. This is a batch file written by Dave Benham and can be downloaded from the website below:


The next one is a little trickier. It's a command line email sending program called BMAIL that I've been using for about 15 years. It was created by Craig Peacock and was available on beyondlogic.org for years, but has since been taken down. :(

However, the nice folks at archive.org have a saved copy here:  


Note: There are other command line email programs that I've seen but never used. Many are no longer being developed. There is another project written by Muhammad A Muquit called MailSend and can be downloaded from GitHub (https://github.com/muquit/mailsend/), but I have not used this. If I get enough requests, I may be convinced to re-write my batch files using this or another command line email sending program/method.

These batch files work by reading through the SMTP log files (also called parsing) written by SmarterMail, and writing lines containing "535 Authentication" errors to a file. The difference between the two batch files is that one looks for internal errors by IP address and the other looks for external errors, omitting internal IP address.

IMPORTANT! YOU WILL NEED TO CHANGE THE IP ADDRESS RANGE IN THE BATCH FILE IN ORDER FOR THIS TO WORK. THIS WILL NEED TO MATCH YOUR INTERNAL IP RANGE. 

YOU WILL ALSO NEED TO MAKE SURE THE PATH TO THE SMTP LOG FILE IS CORRECT.

YOU WILL ALSO NEED TO SPECIFY THE FQDN OR IP ADDRESS OF YOUR EMAIL SERVER AND THE EMAIL ADDRESS YOU WANT THE REPORT TO BE SENT FROM AND TO.

Less importantly, you will need to put these files in C:\Support, or create a similar directory and put the files there and change the path in the batch file.

Once you have thoroughly tested these batch files, you will have to set them up to run on a schedule. I used Windows Task Scheduler to do this. I run it at 11:55 PM every day.

The emails will have a time stamp in the subject line like this:

"Failed External SMTP logins 20190815"

And the body of the email will contain a sorted list of IP addresses and the username attempted.

E.g. 

Final note. I realize that I could combine these two files into one and get the same results. I have my reasons for doing this. If you have a simpler/better way to accomplish this, please post it. I'd love to see your solution and would probably revise my code if there's an easier/simpler way to accomplish this, especially if it doesn't rely on external programs.


--- Begin FailedSMTPLogins-Internal.bat ---

::: Written by Robert Hirabayashi

@echo off
set userdata=
set ipaddr=
set emailaddr=
set smtplogfile="D:\SmarterMail\Logs\%date:~-4,4%.%date:~-10,2%.%date:~-7,2%-smtpLog.log"

rem empty logins file

> "c:\support\FailedSMTPLogins-Internal.txt" rem/
> "c:\support\FailedSMTPLogins-Internal.bak" rem/

FOR /F "tokens=3 delims=[] " %%a IN ('findstr /I /C:"535 Authentication" %smtplogfile% ^| findstr /I /C:"192.168."') DO (
   FOR /F "tokens=2,6 delims=[] " %%i IN ('findstr /I /C:"%%a" %smtplogfile% ^| findstr /I /C:"Authenticating as"') DO echo %%i - %%j >> c:\support\FailedSMTPLogins-Internal.txt
)  

copy c:\support\FailedSMTPLogins-Internal.txt c:\support\FailedSMTPLogins-Internal.bak

call c:\support\jsort c:\support\FailedSMTPLogins-Internal.txt /u > c:\support\FailedSMTPLogins-Internal-deduped.txt

call c:\Support\bmail -s mail.domain.com -t admin@domain.com -f %computername%_noreply@domain.com -h -a "Failed Internal SMTP logins %date:~-4,4%%date:~-10,2%%date:~-7,2%" -m "c:\support\FailedSMTPLogins-Internal-deduped.txt" -c

--- End FailedSMTPLogins-Internal.bat ---




--- Begin FailedSMTPLogins-External.bat ---

::: Written by Robert Hirabayashi
::: Post on https://portal.smartertools.com    
@echo off
set userdata=
set ipaddr=
set emailaddr=
set smtplogfile="C:\SmarterMail\Logs\%date:~-4,4%.%date:~-10,2%.%date:~-7,2%-smtpLog.log"

rem empty logins file

> "c:\support\FailedSMTPLogins-External.txt" rem/
> "c:\support\FailedSMTPLogins-External.bak" rem/

FOR /F "tokens=3 delims=[] " %%a IN ('findstr /I /C:"535 Authentication" %smtplogfile% ^| findstr /V /I /C:"192.168."') DO (
   FOR /F "tokens=2,6 delims=[] " %%i IN ('findstr /I /C:"%%a" %smtplogfile% ^| findstr /I /C:"Authenticating as"') DO echo %%i - %%j >> c:\support\FailedSMTPLogins-External.txt
)  

copy c:\support\FailedSMTPLogins-External.txt c:\support\FailedSMTPLogins-External.bak

call c:\support\jsort c:\support\FailedSMTPLogins-External.txt /u > c:\support\FailedSMTPLogins-External-deduped.txt

call c:\Support\bmail -s mail.domain.com -t admin@domain.com -f %computername%_noreply@domain.com -h -a "Failed External SMTP logins %date:~-4,4%%date:~-10,2%%date:~-7,2%" -m "c:\support\FailedSMTPLogins-External-deduped.txt" -c

--- End FailedSMTPLogins-External.bat ---

P.S. Raymond over at raymond.cc has a whole bunch of command line emailing programs detailed with download links.


2 Replies

Reply to Thread
0
Ben Gilstrap Replied
Employee Post
Robert,

Thanks for sharing this!  I'm sure other Community members will be able to benefit from it.
Ben Gilstrap
Regional Sales Executive
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
You're welcome Ben! I hope that's the case! :)


Reply to Thread