Back to Community Threads
block country
Problem reported by Sabatino - 2/5/2026 at 1:39 AM
Submitted
I implemented block auth country for all Asian countries because, according to statistics, they're just fake login attempts.

I expected to find a reference in the SMTP log that the session was blocked because of a block country, not the classic "Authentication failed - login failed."

This is to keep the statistics clean.

I don't even understand how SM works.

Let's give an example.

A
Country code: IN arrives on SMTP.
Then an Auth Login with
Authenticating as user@domain.tld

where in domain.tld the country code: IN is blocked.

I would expect the SMTP log to indicate that the block occurred due to the country code block (I don't expect a detailed resp to the client; in fact, it's better if they don't know, but it does appear in the log).

Another thing I'm wondering:
But do they still compare the password?
And if it's correct? What does it write in the log?
I'd expect to understand this too.
That is, the username and password are correct, but you can't authenticate because you're blocked by a country code block.
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy
Sabatino Replied
2/5/2026 at 1:43 AM
The idea is:
If I receive a correct authentication from a blocked country, this leads me to investigate.
If I then receive a correct authentication from a user from multiple blocked countries, it's definitely a compromise.

This is important information for analysis purposes.

I know SM reports don't have this level of detail, but I'm developing a custom analysis program, and not having this information is frustrating.
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy
Sabatino Replied
2/6/2026 at 4:33 AM
I tested it.
The username and password were correct, but from a country in block country.

On the SMTP log, I always saw only 
Authentication failed - login failed

This prevents me from distinguishing and performing an in-depth analysis.

The fight against abuse and credential theft is important.

I hope SM can introduce this additional detail in the log.
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy
J
J. LaDow Replied
2/6/2026 at 6:23 AM
 
00:04:22.718 [110.25.110.136] SMTP Attempting to login user: [redacted]@[redacted]
00:04:22.718 [110.25.110.136] SMTP User [redacted]@[redacted] with IP 110.25.110.136 attempting login from country Taiwan (TW) not on the allowed country list.
That's what we get in our Administrative log file (detailed version) whenever a blocked country login is detected. We get one whether or not the account exists, and whether or not the password is accurate.

The only way to correlate it with the service log that it came from is via timestamp though, and the service logs only show "normal access denied" communications.
MailEnable survivor / convert --
Sabatino Replied
2/6/2026 at 8:02 AM
The problem isn't connecting them; that would be the least of the problems.
I had already asked SM via ticket and they replied that they don't record all failed attempts in the administrative log, so it's an incomplete log.

Hello,

The administrative log does not record every SMTP auth attempt - this is by design, so as to not pollute the admin logs. The SMTP log is the correct place to look for SMTP auth attempt records.
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy
J
J. LaDow Replied
2/6/2026 at 8:04 AM
Understood -- knowing that leads us to re-investigate how we're handling as well.

Seems that if they're putting "some" entries in a log, they should either put them all, to make the log consistent (sort of the whole purpose of logging) or none, based on the level of logging requested.

A failed-authentications log would be optimal, that would handle ALL the different services. That would achieve both the need to have the data, as well as "not polluting the other log files" --
MailEnable survivor / convert --
Sabatino Replied
2/6/2026 at 8:15 AM
Yes, a new registry could be the solution.
Modifying the current registry and adding information could create apps that feed off those logs.

I don't know, SM will surely know more.
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Key Feature and Version Milestones in SmarterMailSmarterMail
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
SmarterMail for Linux – SSL/TLS & Certificate ReferenceSmarterMail > Server Configuration and Management
Configure an Alternative Linux Web Server for SmarterMailSmarterMail > Server Configuration and Management
SmarterMail HIPAA/FINRA/SOX ComplianceGeneral Topics