Back to Community Threads
2
Not working: Bad SMTP Sessions (Harvesting)
Problem reported by Ian Ralph - Yesterday at 9:25 AM
Not A Problem
We have an Abuse Detection rule set up for Bad SMTP Sessions (Harvesting) - 5 count in 5 minutes, however it never seems to be triggered. Here's an extract from smtp log today - it was one of many, but the rule was not triggered. Any ideas why ? I've replaced the actual domain name in the logs with OURDOMAINNAME . There are multiple attempts at this, on all our various domains, from various IP addresses.

02:10:37 [97.212.136.240][27945622] rsp: 250-cmail.XXXXXXX Hello [97.212.136.240]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
02:10:39 [97.212.136.240][27945622] cmd: MAIL FROM:<f8fyzvgifvxy@vsechnyreality.cz>
02:10:39 [97.212.136.240][27945622] rsp: 250 OK <f8fyzvgifvxy@vsechnyreality.cz> Sender ok
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<3jzn9fubut8ce@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <3jzn9fubut8ce@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<postmaster@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 250 OK <postmaster@OURDOMAINNAME> Recipient ok
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<vv5wvi79fdwvaz@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <vv5wvi79fdwvaz@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<abuse@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 250 OK <abuse@OURDOMAINNAME> Recipient ok
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<info@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <info@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<webmaster@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <webmaster@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<admin@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 250 OK <admin@OURDOMAINNAME> Recipient ok
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<i8nrx1r3lsn5rq@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <i8nrx1r3lsn5rq@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<support@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 250 OK <support@OURDOMAINNAME> Recipient ok
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<mail@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <mail@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<8bv4ygdvgjz240sp@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <8bv4ygdvgjz240sp@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<sales@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <sales@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<q2qeu875rl081073@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <q2qeu875rl081073@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<contact@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <contact@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<hostmaster@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 250 OK <hostmaster@OURDOMAINNAME> Recipient ok
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<1rs5dye3q9u9o@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <1rs5dye3q9u9o@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<phau28rxp3oovf@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <phau28rxp3oovf@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<oqc6889wc3dcn@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <oqc6889wc3dcn@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<root@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <root@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<q6sy6cq4uekn@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <q6sy6cq4uekn@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<hello@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <hello@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<y8y9nfcjdaj0cd@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <y8y9nfcjdaj0cd@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<office@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <office@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<i@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <i@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<marketing@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <marketing@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<fq7wmqkjt1de6orq@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <fq7wmqkjt1de6orq@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<noreply@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <noreply@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<qec4keeofoei@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <qec4keeofoei@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<test@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <test@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<news@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <news@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<nobody@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <nobody@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<mailer-daemon@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <mailer-daemon@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<noc@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <noc@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<daemon@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <daemon@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<9n779kokt7cxc8@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <9n779kokt7cxc8@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] cmd: RCPT TO:<tpeatg43l8iq@OURDOMAINNAME>
02:10:40 [97.212.136.240][27945622] rsp: 550 <tpeatg43l8iq@OURDOMAINNAME> No such user here
02:10:40 [97.212.136.240][27945622] rsp: 550 Too many bad consecutive recipients.

2 Replies

Reply to Thread
0
Andrew Barker Replied
Yesterday at 11:57 AM
Employee Post
The Bad SMTP Session (Harvesting) IDS rule type is triggered based on a count of SMTP sessions that end without a message being received by the server. The session represented in the log snippet that you included would count as a single bad session for that IDS rule.

The number of bad RCPT TO commands allowed in a session is controlled by the Max Bad Recipients setting at Settings > Protocols on the SMTP In card.
Andrew Barker Software Developer SmarterTools Inc. www.smartertools.com
0
Ian Ralph Replied
Yesterday at 12:47 PM
The number of bad RCPT TO commands allowed in a session.....

Got it, many thanks!
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Cannot Receive Mail MessagesSmarterMail > Troubleshooting
Cannot Send Email MessagesSmarterMail > Troubleshooting
Slow 250 response after Mail From command is issued during an SMTP session.SmarterMail > Troubleshooting
Resolving SMTP Failures on AWS-based ServerSmarterMail > Server Configuration and Management
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus