Recently I have seen a large uptick in hacking attempts against the SmarterMail server. To that end I have written a C++ Windows Program to parse the SMTP logs and report those IP's that are either blacklisted currently or that fail a RSP535 authentication and the count of them so that the blacklist can be updated.
An example command line would be as follows:
SmarterMailLogTool.exe --input_directory Logs --threshold 10 --country_file country_asn.csv
The country_asn file can be obtained from here
Country File where I use the last one Country + IP to ASN.
An example output of the program is as follows:
Country File: country_asn.csv - IPV4 Entries: 1132960, IPV6 Entries: 1122499
Parsing SMTP log files:
File: 1 - Logs\2024.03.04-smtpLog.log
File: 2 - Logs\2024.03.05-smtpLog.log
File: 3 - Logs\2024.03.06-smtpLog.log
File: 4 - Logs\2024.03.07-smtpLog.log
File: 5 - Logs\2024.03.08-smtpLog.log
File: 6 - Logs\2024.03.09-smtpLog.log
File: 7 - Logs\2024.03.10-smtpLog.log
Authentication failure IPs:
IP: Count: Country: Host Names:
45.88.90.136 596 France
45.129.14.128 24 Romania
45.129.14.179 24 Romania
92.118.39.240 96 Romania edc86.daten-de.com
141.98.11.95 24 Lithuania srv-141-98-11-95.serveroffer.net
193.222.96.50 120 Netherlands
193.222.96.246 24 Netherlands
Blacklisted IPs:
IP: Count: Country: Host Names:
45.129.14.128 34804 Romania
45.129.14.179 23089 Romania
79.110.62.5 396 Netherlands
92.118.39.240 30 Romania edc86.daten-de.com
109.206.245.181 539 Hong Kong
141.98.11.95 24091 Lithuania srv-141-98-11-95.serveroffer.net
185.196.9.225 69 Italy
194.55.186.18 85 Netherlands
194.55.186.197 448 Netherlands
It should work for both IPV4 and IPV6 addresses. Giving the offending IP, the count, the country associated with IP and the reverse DNS lookup if any.
May other people find this useful.