2
Frequent auth cram-md5 attempts from spammers
Question asked by Brian Henson - 6/12/2021 at 11:15 AM
Unanswered
Our Smartermail server gets 100s of authentication attempts per day from spammers, we see the following in the logs:

[2021.06.12] 07:51:46 [45.133.1.73][58041917] rsp: 220 mail.example.com
[2021.06.12] 07:51:46 [45.133.1.73][58041917] connected at 6/12/2021 7:51:46 AM
[2021.06.12] 07:51:46 [45.133.1.73][58041917] cmd: EHLO [45.133.1.73]
[2021.06.12] 07:51:46 [45.133.1.73][58041917] rsp: 250-mail.example.com Hello [45.133.1.73]250-SIZE 52428800250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2021.06.12] 07:51:47 [45.133.1.73][58041917] cmd: AUTH CRAM-MD5
[2021.06.12] 07:51:47 [45.133.1.73][58041917] rsp: 334 PC0xODkyMjUyMTg5LjYzNzU5MDgxMTA3NDA5ODY5OEBtYWlsLm51bWVkaWNzLmNvbT4=
[2021.06.12] 07:51:47 [45.133.1.73][58041917] Authenticating as music
[2021.06.12] 07:51:47 [45.133.1.73][58041917] rsp: 535 Authentication failed
[2021.06.12] 07:51:48 [45.133.1.73][58041917] cmd: QUIT
[2021.06.12] 07:51:48 [45.133.1.73][58041917] rsp: 221 Service closing transmission channel
[2021.06.12] 07:51:48 [45.133.1.73][58041917] disconnected at 6/12/2021 7:51:48 AM

The EHLO addresses change with each attempt, so trying to blacklist or SMTP block them is futile. None of these attempts have been successful. But it really clogs up the logs, and I'm concerned if they ever do succeed. Any suggestions?

4 Replies

Reply to Thread
0
Douglas Foster Replied
1
Brian Henson Replied
Tightening up the SMTP password brute force rule did block 1 or 2 of them, but most of these IPs are only being used once.

It would be nice if authentication attempts could go in their own log separate from the main SMTP log to make it easier to see messages being sent or received vs authentication attempts.
1
Douglas Foster Replied
This is why you need an incoming gateway which is separate from your mail server.   It provides separation of your logs, it allows the incoming gateway to blacklist on a single AUTH failure, and it allows the mail server to require SMTP AUTH for all traffic except whitelisted IP addresses (your incoming gateway and whatever other internal servers that cannot do SMTP AUTH.)

SmarterMail Free with Declude makes a very credible incoming gateway, and SmarterTools has treated it as fully supported.   I open the ticket against my mail server license and explain in the details that it is a gateway issue.
1
Montague WebWorks Replied
Clever
Mik MullerMontague WebWorks

Reply to Thread