Possible security breach on AUTH mehod

Raise/discuss any potential issues with MailEnable for consideration in project issue register.
Post Reply
Vinemoler
Posts: 2
Joined: Sun Jul 06, 2014 6:23 pm

Possible security breach on AUTH mehod

Post by Vinemoler »

Hi,

I am using Mailenable Entreprise Premium 7.57 on Windows 2008 x64

From weeks I am getting trouble that I am not able to resolve. I feel a possible bug in mailenable might prevent me to perform further analysis.
Several times a day in my SMTP activty log I see this kind of activity :
**********
07/06/14 19:51:10 SMTP-IN DF6378EB441D478BAB046E697467FA4B.MAI 1072 MyIPAddress EHLO EHLO MyPC IPAddressOfMyServer.rev.poneytelecom.eu [MyIPAddress], this server offers 6 extensions 182 17
07/06/14 19:51:10 SMTP-IN DF6378EB441D478BAB046E697467FA4B.MAI 1072 MyIPAddress AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
07/06/14 19:51:10 SMTP-IN DF6378EB441D478BAB046E697467FA4B.MAI 1072 MyIPAddress AUTH {blank} 334 UGFzc3dvcmQ6 18 26 my@emailadress
07/06/14 19:51:10 SMTP-IN DF6378EB441D478BAB046E697467FA4B.MAI 1072 MyIPAddress AUTH YmVsdWdh 504 Invalid Username or Password 34 10 my@emailaddress
******************
the frequency is from hundreds to thousand times a day using many different email adresses (existing or not on the server)

The impact here is the user is being blocked by mailenable after several login attemps.

My issue here is I am not able to determine the real IP address of the spammer/hacker because in the example I sent this is the IP and the name of my own computer

I have several similar examples with other computer name/IP adress + email address used by legitim users and for most of these computers I am certain they have no virus or does not try to attack the server.

In this situation I was expecting to see the IP adress of the spammer/hacker or at least a wrong IP adress/Computer name but no.

My question to you is how can I figure out where the attack comes from so to block it? Is there a way to include additional information in the log or should I understand the attacker found a way to complete hide himsef behind real user at the moment they have real activity?

Thank you

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Possible security breach on AUTH mehod

Post by MailEnable-Ian »

Hi,

Do you have a firewall sitting in front of the MailEnable server? Have you inspected the logs on the firewall/router to see if there is suspicious activity? The problem does sound like the client machines may possible be infected. There are no bugs within MailEnable that would cause IP spoofing. The SMTP service simply logs the connecting IP address and has no ability to mask/spoof the connecting IP address.
Regards,

Ian Margarone
MailEnable Support

Vinemoler
Posts: 2
Joined: Sun Jul 06, 2014 6:23 pm

Re: Possible security breach on AUTH mehod

Post by Vinemoler »

Thank you Ian,

I have a firewall configured and AV detected no virus.

Thank you for your answer.

Anyone would have a good idea to help me troubleshooting this?

Thanks a lot

Giulio
Posts: 2
Joined: Fri Nov 27, 2015 9:17 pm

Re: Possible security breach on AUTH mehod

Post by Giulio »

I have the same security issue... Have you found a solution ?

Post Reply