Is it accurate that If someone goes to the WebMail interface and logs in, that it is NOT generating any SMTP authentication attempts ? (or IMAP, or POP events, etc...) but all WebMail logins would generate "Administrative" logs ?
But In the "administrative" logs, It seems the only way to tell a failed login, is to see multiple "Attempting to login" listed one right after the other. There is no listing or identifying of "failed login" (This is for SmarterMail 14)
Is this also correct, and is it still correct in SM 16, 17, etc ?
We are reviewing our server logs trying to get more control over spam, scam and hackers. In looking at the SMTP logs, I just noticed we had a LOT of brute force attacks since the beginning of the year, where hackers are trying to log into various email accounts. The "brute force" filter is not working though because every attempt is coming from a different IP address. They try one time, fail, and then that IP address is not repeated again sometimes for days or even weeks.
What I realized is that of all of our email accounts on all domains, almost everyone uses webmail to access their email. Very few people get their email on their phones through any mail apps. So If i am correct then, pretty much all of the failed login attempts throught the SMTP, POP or IMAP are in fact hack attempts.
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !