SmarterMail Security
Idea shared by Bryan Zimmerman - 3/10/2024 at 5:41 AM
Recently I have seen a large uptick in hacking attempts against the SmarterMail server.  To that end I have written a C++ Windows Program to parse the SMTP logs and report those IP's that are either blacklisted currently or that fail a RSP535 authentication and the count of them so that the blacklist can be updated.

An example command line would be as follows:
SmarterMailLogTool.exe --input_directory Logs --threshold 10 --country_file country_asn.csv
The country_asn file can be obtained from here Country File where I use the last one Country + IP to ASN.

An example output of the program is as follows:
Country File: country_asn.csv - IPV4 Entries: 1132960, IPV6 Entries: 1122499
Parsing SMTP log files:
File:   1 - Logs\2024.03.04-smtpLog.log
File:   2 - Logs\2024.03.05-smtpLog.log
File:   3 - Logs\2024.03.06-smtpLog.log
File:   4 - Logs\2024.03.07-smtpLog.log
File:   5 - Logs\2024.03.08-smtpLog.log
File:   6 - Logs\2024.03.09-smtpLog.log
File:   7 - Logs\2024.03.10-smtpLog.log

Authentication failure IPs:
IP:                                    Count: Country:            Host Names:                              596 France                              24 Romania                              24 Romania                              96 Romania             edc86.daten-de.com                               24 Lithuania           srv-141-98-11-95.serveroffer.net                             120 Netherlands                             24 Netherlands

Blacklisted IPs:
IP:                                    Count: Country:            Host Names:                           34804 Romania                           23089 Romania                               396 Netherlands                              30 Romania             edc86.daten-de.com                           539 Hong Kong                            24091 Lithuania           srv-141-98-11-95.serveroffer.net                              69 Italy                              85 Netherlands                            448 Netherlands
It should work for both IPV4 and IPV6 addresses.  Giving the offending IP, the count, the country associated with IP and the reverse DNS lookup if any.

May other people find this useful.

1 Reply

Reply to Thread
For the ambitious ones here is the source code for the above.  It also depends on the following 3rd party libraries.
2. asio

Reply to Thread