Back to Community Threads
2
Frequent auth cram-md5 attempts from spammers
Question asked by Brian Henson - 6/12/2021 at 11:15 AM
Unanswered
Our Smartermail server gets 100s of authentication attempts per day from spammers, we see the following in the logs:

[2021.06.12] 07:51:46 [45.133.1.73][58041917] rsp: 220 mail.example.com
[2021.06.12] 07:51:46 [45.133.1.73][58041917] connected at 6/12/2021 7:51:46 AM
[2021.06.12] 07:51:46 [45.133.1.73][58041917] cmd: EHLO [45.133.1.73]
[2021.06.12] 07:51:46 [45.133.1.73][58041917] rsp: 250-mail.example.com Hello [45.133.1.73]250-SIZE 52428800250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2021.06.12] 07:51:47 [45.133.1.73][58041917] cmd: AUTH CRAM-MD5
[2021.06.12] 07:51:47 [45.133.1.73][58041917] rsp: 334 PC0xODkyMjUyMTg5LjYzNzU5MDgxMTA3NDA5ODY5OEBtYWlsLm51bWVkaWNzLmNvbT4=
[2021.06.12] 07:51:47 [45.133.1.73][58041917] Authenticating as music
[2021.06.12] 07:51:47 [45.133.1.73][58041917] rsp: 535 Authentication failed
[2021.06.12] 07:51:48 [45.133.1.73][58041917] cmd: QUIT
[2021.06.12] 07:51:48 [45.133.1.73][58041917] rsp: 221 Service closing transmission channel
[2021.06.12] 07:51:48 [45.133.1.73][58041917] disconnected at 6/12/2021 7:51:48 AM

The EHLO addresses change with each attempt, so trying to blacklist or SMTP block them is futile. None of these attempts have been successful. But it really clogs up the logs, and I'm concerned if they ever do succeed. Any suggestions?

4 Replies

Reply to Thread
0
Douglas Foster Replied
6/12/2021 at 5:43 PM
1
Brian Henson Replied
6/14/2021 at 9:38 AM
Tightening up the SMTP password brute force rule did block 1 or 2 of them, but most of these IPs are only being used once.

It would be nice if authentication attempts could go in their own log separate from the main SMTP log to make it easier to see messages being sent or received vs authentication attempts.
1
Douglas Foster Replied
6/14/2021 at 5:02 PM
This is why you need an incoming gateway which is separate from your mail server.   It provides separation of your logs, it allows the incoming gateway to blacklist on a single AUTH failure, and it allows the mail server to require SMTP AUTH for all traffic except whitelisted IP addresses (your incoming gateway and whatever other internal servers that cannot do SMTP AUTH.)

SmarterMail Free with Declude makes a very credible incoming gateway, and SmarterTools has treated it as fully supported.   I open the ticket against my mail server license and explain in the details that it is a gateway issue.
1
Montague WebWorks Replied
6/30/2021 at 9:59 AM
Clever
Mik MullerMontague WebWorks
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Find a Compromised AccountSmarterMail > Troubleshooting
How to Setup Microsoft 365 (Office) Accounts in SmarterTrack Using OAuthSmarterTrack > Installation and Configuration
Slow 250 response after Mail From command is issued during an SMTP session.SmarterMail > Troubleshooting
Automatic SSL Certificates on a New SmarterMail ServerSmarterMail > Server Configuration and Management