Large SMTP Activity logs due to hackers

Discussion regarding the Standard version.
Post Reply
frasersales-ltd
Posts: 25
Joined: Fri Jul 08, 2011 5:48 pm

Large SMTP Activity logs due to hackers

Post by frasersales-ltd »

I've been receiving large SMTP Activity logs on MailEnable. The size of the logs are nearly 1MB each day. A couple days ago 1 file was 10MB. A lot of IPs in the log are the same. There not sending emails from the mail server although it look like there trying to find the mail server's SMTP password. An example of the log is below. Is there anyway to prevent this?


02/23/16 00:02:00 SMTP-IN 91ED78B945B74603BE9B674285D565EE.MAI 904 195.22.126.15 EHLO EHLO 87.74.68.65 250-fk-wholesale.com [195.22.126.15], this server offers 4 extensions 132 18
02/23/16 00:02:01 SMTP-IN 91ED78B945B74603BE9B674285D565EE.MAI 904 195.22.126.15 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
02/23/16 00:02:01 SMTP-IN 91ED78B945B74603BE9B674285D565EE.MAI 904 195.22.126.15 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 sales
02/23/16 00:02:01 SMTP-IN 91ED78B945B74603BE9B674285D565EE.MAI 904 195.22.126.15 AUTH MXEydzNlNHI1dA== 504 Invalid Username or Password 34 18 sales


02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 220 mail.fk-wholesale.com ESMTP MailEnable Service, Version: 9.00-- ready at 02/23/16 00:02:32 0 0
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 EHLO EHLO User 250-fk-wholesale.com [195.22.126.232], this server offers 4 extensions 133 11
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 room
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 AUTH cGFzc3dvcmQxMjM= 504 Invalid Username or Password 34 18 room
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 QUIT QUIT 221 Service closing transmission channel 42 6 room

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Large SMTP Activity logs due to hackers

Post by MailEnable-Ian »

Hi,

Looks to be spammers performing dictionary attacks and trying to find a mailbox with a simple password. Not much you can do to stop them within MailEnable standard edition. Just ensure you have set complex passwords for your users. You can block the IP's from connecting by adding them to the SMTP "Access Control" list under the "Granted all - except those in the list" option. Or you can block the IP's within your routers firewall.
Regards,

Ian Margarone
MailEnable Support

frasersales-ltd
Posts: 25
Joined: Fri Jul 08, 2011 5:48 pm

Re: Large SMTP Activity logs due to hackers

Post by frasersales-ltd »

I'm only sending emails using 1 mail server with 1 static IP. Would adding my static IP address in the SMTP "Access Control" list under the "Denied all - except those in the list" work?

What about decreasing the value in the "Drop a connection when the failed number of commands or recipients reaches"?

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Large SMTP Activity logs due to hackers

Post by MailEnable-Ian »

Hi,

Do you mean you only receive emails from one remote mail server? The SMTP inbound access control is only for inbound connections. If you set it to deny all then your clients will not be able to connect and send emails either unless you add the client machines IP addresses to the list also. Yes you can lower the connection dropping option. If you have complex passwords and the spammers are not able to authentication and be granted relay rights then the connections will slowly die off. You really need to filter the connections at the firewall level (or a spam gateway server) before they hot the MailEnable server.
Regards,

Ian Margarone
MailEnable Support

frasersales-ltd
Posts: 25
Joined: Fri Jul 08, 2011 5:48 pm

Re: Large SMTP Activity logs due to hackers

Post by frasersales-ltd »

Yes, I only receive emails from one remote mail server. What's a good value to use for "Drop a connection when the failed number of commands or recipients reaches"?

I wrote a script what reads the SMTP log files and then writes the IPs with the error "504 Invalid Username or Password" to the access control SMTP-DENY.tab file in MailEnable folder. Should I use the IP address wildcard 1.2.3.* or 1.2.*.*?

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Large SMTP Activity logs due to hackers

Post by MailEnable-Ian »

Hi,

Drop a connection when the failed number of commands or recipients reaches: Most email clients will recognize error codes returned by the mail server for an invalid recipient or similar. But some spammers and bulk email utilities may not recognize these errors and keep trying to send. By enabling this option, MailEnable will drop the client connection and add the IP address to the SMTP deny list. It is recommended not to use a low value (5 for example), as some valid web scripts will not check the return codes either – but these will only produce a small number of failed commands.

Yes you can add IP ranges to the SMTP deny list.
Regards,

Ian Margarone
MailEnable Support

frasersales-ltd
Posts: 25
Joined: Fri Jul 08, 2011 5:48 pm

Re: Large SMTP Activity logs due to hackers

Post by frasersales-ltd »

If there a chance I could blacklist genuine IP addresses when using, for example, the wildcard 1.2.*.*

aahq
Posts: 183
Joined: Sat Aug 07, 2010 11:08 am

Re: Large SMTP Activity logs due to hackers

Post by aahq »

I would consider blocking entire ranges on your firewall e.g 195.22.*.* until they go away.

Chances are you aren't going to get mail from there :)

Scott

millahjovich
Posts: 4
Joined: Mon Jul 04, 2016 8:13 am

Re: Large SMTP Activity logs due to hackers

Post by millahjovich »

Looks to be spammers performing dictionary attacks and trying to find a mailbox with a simple password. Not much you can do to stop them within MailEnable standard edition. Just ensure you have set complex passwords for your users. You can block the IP's from connecting by adding them to the SMTP "Access Control" list under the "Granted all - except those in the list" option. Or you can block the IP's within your routers firewall
[url=https://www.nimblemessaging.com/plugin/wordpress-conference-call-plugin/] Call Conference [/url] ||[url=https://www.nimblemessaging.com/plugin/wordpress-conference-call-plugin/] Conference Calling Plugin [/url] ||[url=https://www.nimblemessaging.com/plugin/wordpress-conference-call-plugin/] Telephone Conference Calling [/url]||[url=https://www.nimblemessaging.com/] Nimble Messaging [/url]

virmix
Posts: 66
Joined: Tue Nov 10, 2015 12:12 am

Re: Large SMTP Activity logs due to hackers

Post by virmix »

millahjovich wrote:Looks to be spammers performing dictionary attacks and trying to find a mailbox with a simple password. Not much you can do to stop them within MailEnable standard edition. Just ensure you have set complex passwords for your users. You can block the IP's from connecting by adding them to the SMTP "Access Control" list under the "Granted all - except those in the list" option. Or you can block the IP's within your routers firewall

I create this software.
:arrow: http://www.filedropper.com/newfirewall_4
You can unzip and install in your server.

Forum Post: http://forum.mailenable.com/viewtopic.p ... ck#p109695

Post Reply