2
Safe configuration without external SMTP accounts and hackers login
Idea shared by Omar Escalante - 3/27/2021 at 7:41 AM
Proposed
Hello,

We are using Smartermail only as EXCHANGE, without POP, IMAP and SMTP external accounts. And we are happy working on Webmail, EWS and EAS.
POP or IMAP services are off. And there are not open ports for these services.

On SMTP we have open the 25 port. But I can't do it the same for SMTP, because this is the gateway for mails. We don't have external accounts. But the service is running.

If I go to SMTP log, there are crouds of people digging to login by SMTP as users, etc
Is there sense to cancel loging possibility if there is none SMTP external account?
Why I can't avoid those hackers activity and its register without open gates?

(Sorry, but I can't upload a log file: bellow you can see the problem uploading the file. For images this is working)
[2021.03.27] 00:10:04.962 [193.56.29.118][60663700] rsp: 220 mail.fioner.com Sat, 27 Mar 2021 04:10:04 +0000 UTC | SmarterMail Enterprise
[2021.03.27] 00:10:04.962 [193.56.29.118][60663700] connected at 3/27/2021 12:10:04 AM
[2021.03.27] 00:10:04.962 [193.56.29.118][60663700] Country code: GB
[2021.03.27] 00:10:04.962 [193.56.29.118][33476826] rsp: 220 mail.frimont.com Sat, 27 Mar 2021 04:10:04 +0000 UTC | SmarterMail Enterprise
[2021.03.27] 00:10:04.962 [193.56.29.118][33476826] connected at 3/27/2021 12:10:04 AM
[2021.03.27] 00:10:04.962 [193.56.29.118][33476826] Country code: GB
[2021.03.27] 00:10:05.102 [193.56.29.118][60663700] cmd: EHLO User
[2021.03.27] 00:10:05.102 [193.56.29.118][60663700] rsp: 250-mail.fioner.com Hello [193.56.29.118]250-SIZE 31457280250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
[2021.03.27] 00:10:05.102 [193.56.29.118][60663700] The domain given in the EHLO command violates an EHLO SMTP blocking rule. Any authentication attempts or RCPT commands will be rejected.
[2021.03.27] 00:10:05.118 [193.56.29.118][33476826] cmd: EHLO User
[2021.03.27] 00:10:05.118 [193.56.29.118][33476826] rsp: 250-mail.frimont.com Hello [193.56.29.118]250-SIZE 31457280250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
[2021.03.27] 00:10:05.118 [193.56.29.118][33476826] The domain given in the EHLO command violates an EHLO SMTP blocking rule. Any authentication attempts or RCPT commands will be rejected.
[2021.03.27] 00:10:05.259 [193.56.29.118][60663700] cmd: RSET
[2021.03.27] 00:10:05.259 [193.56.29.118][60663700] rsp: 250 OK
[2021.03.27] 00:10:05.259 [193.56.29.118][33476826] cmd: RSET
[2021.03.27] 00:10:05.259 [193.56.29.118][33476826] rsp: 250 OK
[2021.03.27] 00:10:05.399 [193.56.29.118][60663700] cmd: AUTH LOGIN
[2021.03.27] 00:10:05.399 [193.56.29.118][60663700] rsp: 504 Unrecognized authentication type.
[2021.03.27] 00:10:05.415 [193.56.29.118][33476826] cmd: AUTH LOGIN
[2021.03.27] 00:10:05.415 [193.56.29.118][33476826] rsp: 504 Unrecognized authentication type.
[2021.03.27] 00:10:05.556 [193.56.29.118][60663700] cmd: QUIT
[2021.03.27] 00:10:05.556 [193.56.29.118][60663700] rsp: 221 Service closing transmission channel
[2021.03.27] 00:10:05.556 [193.56.29.118][60663700] disconnected at 3/27/2021 12:10:05 AM
[2021.03.27] 00:10:05.556 [193.56.29.118][33476826] cmd: QUIT
[2021.03.27] 00:10:05.556 [193.56.29.118][33476826] rsp: 221 Service closing transmission channel
[2021.03.27] 00:10:05.556 [193.56.29.118][33476826] disconnected at 3/27/2021 12:10:05 AM
[2021.03.27] 00:10:08.587 [141.98.10.143][27465059] rsp: 220 mail.frimont.com Sat, 27 Mar 2021 04:10:08 +0000 UTC | SmarterMail Enterprise
[2021.03.27] 00:10:08.587 [141.98.10.143][27465059] connected at 3/27/2021 12:10:08 AM
[2021.03.27] 00:10:08.587 [141.98.10.143][27465059] Country code: LT
[2021.03.27] 00:10:08.728 [141.98.10.143][27465059] cmd: EHLO User
[2021.03.27] 00:10:08.728 [141.98.10.143][27465059] rsp: 250-mail.frimont.com Hello [141.98.10.143]250-SIZE 31457280250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
[2021.03.27] 00:10:08.728 [141.98.10.143][27465059] The domain given in the EHLO command violates an EHLO SMTP blocking rule. Any authentication attempts or RCPT commands will be rejected.
[2021.03.27] 00:10:08.853 [141.98.10.143][27465059] cmd: AUTH LOGIN
[2021.03.27] 00:10:08.853 [141.98.10.143][27465059] rsp: 504 Unrecognized authentication type.
[2021.03.27] 00:10:08.993 [141.98.10.143][27465059] cmd: QUIT
[2021.03.27] 00:10:08.993 [141.98.10.143][27465059] rsp: 221 Service closing transmission channel
[2021.03.27] 00:10:08.993 [141.98.10.143][27465059] disconnected at 3/27/2021 12:10:08 AM

12 Replies

Reply to Thread
0
You can kinda disable SMTP logging under troubleshooting. Set to exceptions only, then you wont have a log full of failed SMTP attempts, but this will also kill off all SMTP logging too.
1
You should use this against them.   First, turn the first attempt into a long IDS block (I use 32767 minutes.)   Then, before the timer runs out, convert the IDS block into permanent blacklist so that they will never talk to your SmarterMail server again.   Then convert the blacklist entry into a firewall rule so that they cannot attack you on any other server-port combination either.

Details here:

But there is work to be done to provide separation between AUTH and non-AUTH connections.   Most recent discussion here:
0
Our SMTP port was getting hammered by brute force attacks coming out of the ex-Soviet Bloc, and by implementing a long IDS block (12 hours) we got them to finally give us and remove our server from their bot after about 2 weeks.
1
I am at 3400  blocked IPs and growing constantly, with attacks coming from all over the world.   Weekends seem to be busier than weekdays, and nights busier than days.  I guess they prefer to attack when we are not watching as closely.   

Since we are a low-profe organization, our situation must be a tiny part of the whole problem.   I do not yet have enough address density to replace single addresses with subnets, but that will become necessary for performance reasons.  I think it would be best to stay below 10,000 unique entries. 
0
Kyle Kerst Replied
Employee Post
What Doug said on this is unfortunately your best bet. Hackers/crackers are always probing email servers because compromised email servers likely sell for a premium, and the best way to prevent this is to block them quickly and block them for a long period of time. A lot of these crackers are using automated routines which will give up and move on if they are blocked too many times in a row, so the IDS system is an excellent gate keeper for this kind of behavior. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
We block for 72 hours now. This has ended quite a few attempts pretty quick. We see they check back after ~12 hour so, again at about 28 - 36 hours, then they seem to give up.
0
Glad that works for you, but why release the block at all?   Is it a performance concern? 
1
No need in managing a list of thousands and thousands and thousands and thousands of IPs. Most move on and never come back, those that do are simply blocked again.
1
Hello,

I found this link. May be this is useful


Block Countries, Attackers, Spammers and Bogons

You can obtain lists of IP addresses and network ID ranges to block from a variety of sources for a variety of purposes.

Here are a few sources to try:

Note: If you also want to block the resolution of unwanted hostnames in DNS, there is another script for that here.

Examples

To create rules to block all inbound and outbound packets to the IP addresses and CIDR networks listed in a file named iptoblock.txt:

import-firewall-blocklist.ps1 -inputfile iptoblock.txt
0
Hello,

I am happy with the use of
    https://www.sans.org/blog/windows-firewall-script-to-block-ip-addresses-and-country-network-ranges/

    PowerShell.exe -ExecutionPolicy Bypass
    .\Import-Firewall-Blocklist.ps1 -inputfile ip.txt
    PowerShell.exe -ExecutionPolicy Restricted

Where ip.txt can be the IDS block list or the http://www.ipdeny.com/ipblocks/ country lists
The process was easy and great result.

Now, I am thinking about some proposals. We received several errors / bad commands. Those errors are from attacks.
I think they are not covered by IDS, and should be easy to add. We can build the cases list using the error codes:

    rsp: 535 Authentication failed = covered by IDS
    rsp: 500 command unrecognized
    rsp: 504 Unrecognized authentication type.
    rsp: 554 Sending address not accepted due to spam filter
    rsp: 554 Security failure

    May be others  rsp: 4xx or rsp: 5xx

Why this? We suffered exponential increasing on blocked connections over SMTP in. This is closed. There is not any open external SMTP. Nobody can connect using this. Only by EWS or Webmail 2 step security. Then, I don't want to see them attacking us. I am thinking the way to block them at all.

1) New IDS rule by "504 Unrecognized authentication type."

    [2021.04.02] 15:58:55.703 [115.207.19.98][4951420] Country code: CN
    [2021.04.02] 15:58:55.953 [115.207.19.98][4951420] cmd: EHLO ylmf-pc
    [2021.04.02] 15:58:55.953 [115.207.19.98][4951420] rsp: 250-mail.frimont.com Hello [115.207.19.98]250-SIZE 31457280250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
    [2021.04.02] 15:58:56.187 [115.207.19.98][4951420] cmd: AUTH LOGIN
    [2021.04.02] 15:58:56.187 [115.207.19.98][4951420] rsp: 504 Unrecognized authentication type.

This ylmf-pc attack from China, Vietnam, etc. He is using always the same method, with differents IP.
I can block him by EHLO. But his records at log are huge. And he is a cracker or hacker.
There is not a rule to auto catch the IP for "504 Unrecognized authentication type", like other IDS rule.
This possible new rule can be able to detect him and block him automatically.

2) New IDS rule by "rsp: 500 command unrecognized"

    14:02:01.978 [119.61.22.82][23963396] cmd: EHLO localhost
    14:02:01.978 [119.61.22.82][23963396] rsp: 250-mail.frimont.com Hello [119.61.22.82]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250-DSN250 OK
    14:02:01.978 [119.61.22.82][23963396] The domain given in the EHLO command violates an EHLO SMTP blocking rule. Any authentication attempts or RCPT commands will be rejected.
    14:02:02.416 [119.61.22.82][23963396] cmd: AUTH LOGIN
    14:02:02.416 [119.61.22.82][23963396] rsp: 334 VXNlcm5hbWU6
    14:02:03.306 [119.61.22.82][23963396] Authenticating as sistemas@frimont.com
    14:02:03.306 [119.61.22.82][23963396] rsp: 334 UGFzc3dvcmQ6
    14:02:03.760 [119.61.22.82][23963396] rsp: 535 Authentication failed
    14:02:04.213 [119.61.22.82][23963396] cmd: *
    14:02:04.213 [119.61.22.82][23963396] rsp: 500 command unrecognized
    14:02:04.666 [119.61.22.82][23963396] cmd: QUIT

This example is good. We are blocking the EHLO "localhost"
He is a hacker/cracker. He try to authenticate. He sent a bad command. But I must dig into log to use this IP into blacklist.

3) New IDS rule using the event: "The domain given in the EHLO command violates an EHLO SMTP blocking rule"
We have some EHLO SMTP blocking rule, like this "localhost", "admin", administrator", etc.

    03:53:26.874 [36.129.204.202][2368085] Country code: CN
    03:53:34.812 [36.129.204.202][2368085] cmd: EHLO localhost
    03:53:34.812 [36.129.204.202][2368085] rsp: 250-mail.frimont.com Hello [36.129.204.202]250-SIZE 31457280250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
    03:53:34.812 [36.129.204.202][2368085] The domain given in the EHLO command violates an EHLO SMTP blocking rule. Any authentication attempts or RCPT commands will be rejected.
    03:53:35.187 [36.129.204.202][2368085] disconnected at 3/25/2021 3:53:35 AM

We block several attacks with it. But, again, they fill thousands of log lines.
If there is a IDS rule to get the IP used for these EHLO SMTP cases, we can add them into blacklists.
2
Not sure what you are looking for here. SMTP attacks will always be, you cannot stop them. Even our anti-spam gateways that process no authenticated mail are pounded all day with login attempts, just the nature of running a publicly accessible SMTP server.
0
Look the Graph:
Blocked coonections and attackers are comming to ZERO

This is the graph on August:


Almost 100% clean

Reply to Thread