Large SMTP Activity logs due to hackers
-
- Posts: 25
- Joined: Fri Jul 08, 2011 5:48 pm
Large SMTP Activity logs due to hackers
I've been receiving large SMTP Activity logs on MailEnable. The size of the logs are nearly 1MB each day. A couple days ago 1 file was 10MB. A lot of IPs in the log are the same. There not sending emails from the mail server although it look like there trying to find the mail server's SMTP password. An example of the log is below. Is there anyway to prevent this?
02/23/16 00:02:00 SMTP-IN 91ED78B945B74603BE9B674285D565EE.MAI 904 195.22.126.15 EHLO EHLO 87.74.68.65 250-fk-wholesale.com [195.22.126.15], this server offers 4 extensions 132 18
02/23/16 00:02:01 SMTP-IN 91ED78B945B74603BE9B674285D565EE.MAI 904 195.22.126.15 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
02/23/16 00:02:01 SMTP-IN 91ED78B945B74603BE9B674285D565EE.MAI 904 195.22.126.15 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 sales
02/23/16 00:02:01 SMTP-IN 91ED78B945B74603BE9B674285D565EE.MAI 904 195.22.126.15 AUTH MXEydzNlNHI1dA== 504 Invalid Username or Password 34 18 sales
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 220 mail.fk-wholesale.com ESMTP MailEnable Service, Version: 9.00-- ready at 02/23/16 00:02:32 0 0
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 EHLO EHLO User 250-fk-wholesale.com [195.22.126.232], this server offers 4 extensions 133 11
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 room
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 AUTH cGFzc3dvcmQxMjM= 504 Invalid Username or Password 34 18 room
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 QUIT QUIT 221 Service closing transmission channel 42 6 room
02/23/16 00:02:00 SMTP-IN 91ED78B945B74603BE9B674285D565EE.MAI 904 195.22.126.15 EHLO EHLO 87.74.68.65 250-fk-wholesale.com [195.22.126.15], this server offers 4 extensions 132 18
02/23/16 00:02:01 SMTP-IN 91ED78B945B74603BE9B674285D565EE.MAI 904 195.22.126.15 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
02/23/16 00:02:01 SMTP-IN 91ED78B945B74603BE9B674285D565EE.MAI 904 195.22.126.15 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 sales
02/23/16 00:02:01 SMTP-IN 91ED78B945B74603BE9B674285D565EE.MAI 904 195.22.126.15 AUTH MXEydzNlNHI1dA== 504 Invalid Username or Password 34 18 sales
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 220 mail.fk-wholesale.com ESMTP MailEnable Service, Version: 9.00-- ready at 02/23/16 00:02:32 0 0
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 EHLO EHLO User 250-fk-wholesale.com [195.22.126.232], this server offers 4 extensions 133 11
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 room
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 AUTH cGFzc3dvcmQxMjM= 504 Invalid Username or Password 34 18 room
02/23/16 00:02:32 SMTP-IN FDDE1532FFC94B4EB94850E3F96A29E5.MAI 680 195.22.126.232 QUIT QUIT 221 Service closing transmission channel 42 6 room
-
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: Large SMTP Activity logs due to hackers
Hi,
Looks to be spammers performing dictionary attacks and trying to find a mailbox with a simple password. Not much you can do to stop them within MailEnable standard edition. Just ensure you have set complex passwords for your users. You can block the IP's from connecting by adding them to the SMTP "Access Control" list under the "Granted all - except those in the list" option. Or you can block the IP's within your routers firewall.
Looks to be spammers performing dictionary attacks and trying to find a mailbox with a simple password. Not much you can do to stop them within MailEnable standard edition. Just ensure you have set complex passwords for your users. You can block the IP's from connecting by adding them to the SMTP "Access Control" list under the "Granted all - except those in the list" option. Or you can block the IP's within your routers firewall.
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support
-
- Posts: 25
- Joined: Fri Jul 08, 2011 5:48 pm
Re: Large SMTP Activity logs due to hackers
I'm only sending emails using 1 mail server with 1 static IP. Would adding my static IP address in the SMTP "Access Control" list under the "Denied all - except those in the list" work?
What about decreasing the value in the "Drop a connection when the failed number of commands or recipients reaches"?
What about decreasing the value in the "Drop a connection when the failed number of commands or recipients reaches"?
-
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: Large SMTP Activity logs due to hackers
Hi,
Do you mean you only receive emails from one remote mail server? The SMTP inbound access control is only for inbound connections. If you set it to deny all then your clients will not be able to connect and send emails either unless you add the client machines IP addresses to the list also. Yes you can lower the connection dropping option. If you have complex passwords and the spammers are not able to authentication and be granted relay rights then the connections will slowly die off. You really need to filter the connections at the firewall level (or a spam gateway server) before they hot the MailEnable server.
Do you mean you only receive emails from one remote mail server? The SMTP inbound access control is only for inbound connections. If you set it to deny all then your clients will not be able to connect and send emails either unless you add the client machines IP addresses to the list also. Yes you can lower the connection dropping option. If you have complex passwords and the spammers are not able to authentication and be granted relay rights then the connections will slowly die off. You really need to filter the connections at the firewall level (or a spam gateway server) before they hot the MailEnable server.
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support
-
- Posts: 25
- Joined: Fri Jul 08, 2011 5:48 pm
Re: Large SMTP Activity logs due to hackers
Yes, I only receive emails from one remote mail server. What's a good value to use for "Drop a connection when the failed number of commands or recipients reaches"?
I wrote a script what reads the SMTP log files and then writes the IPs with the error "504 Invalid Username or Password" to the access control SMTP-DENY.tab file in MailEnable folder. Should I use the IP address wildcard 1.2.3.* or 1.2.*.*?
I wrote a script what reads the SMTP log files and then writes the IPs with the error "504 Invalid Username or Password" to the access control SMTP-DENY.tab file in MailEnable folder. Should I use the IP address wildcard 1.2.3.* or 1.2.*.*?
-
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: Large SMTP Activity logs due to hackers
Hi,
Drop a connection when the failed number of commands or recipients reaches: Most email clients will recognize error codes returned by the mail server for an invalid recipient or similar. But some spammers and bulk email utilities may not recognize these errors and keep trying to send. By enabling this option, MailEnable will drop the client connection and add the IP address to the SMTP deny list. It is recommended not to use a low value (5 for example), as some valid web scripts will not check the return codes either – but these will only produce a small number of failed commands.
Yes you can add IP ranges to the SMTP deny list.
Drop a connection when the failed number of commands or recipients reaches: Most email clients will recognize error codes returned by the mail server for an invalid recipient or similar. But some spammers and bulk email utilities may not recognize these errors and keep trying to send. By enabling this option, MailEnable will drop the client connection and add the IP address to the SMTP deny list. It is recommended not to use a low value (5 for example), as some valid web scripts will not check the return codes either – but these will only produce a small number of failed commands.
Yes you can add IP ranges to the SMTP deny list.
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support
-
- Posts: 25
- Joined: Fri Jul 08, 2011 5:48 pm
Re: Large SMTP Activity logs due to hackers
If there a chance I could blacklist genuine IP addresses when using, for example, the wildcard 1.2.*.*
Re: Large SMTP Activity logs due to hackers
I would consider blocking entire ranges on your firewall e.g 195.22.*.* until they go away.
Chances are you aren't going to get mail from there
Scott
Chances are you aren't going to get mail from there
Scott
-
- Posts: 4
- Joined: Mon Jul 04, 2016 8:13 am
Re: Large SMTP Activity logs due to hackers
Looks to be spammers performing dictionary attacks and trying to find a mailbox with a simple password. Not much you can do to stop them within MailEnable standard edition. Just ensure you have set complex passwords for your users. You can block the IP's from connecting by adding them to the SMTP "Access Control" list under the "Granted all - except those in the list" option. Or you can block the IP's within your routers firewall
[url=https://www.nimblemessaging.com/plugin/wordpress-conference-call-plugin/] Call Conference [/url] ||[url=https://www.nimblemessaging.com/plugin/wordpress-conference-call-plugin/] Conference Calling Plugin [/url] ||[url=https://www.nimblemessaging.com/plugin/wordpress-conference-call-plugin/] Telephone Conference Calling [/url]||[url=https://www.nimblemessaging.com/] Nimble Messaging [/url]
Re: Large SMTP Activity logs due to hackers
millahjovich wrote:Looks to be spammers performing dictionary attacks and trying to find a mailbox with a simple password. Not much you can do to stop them within MailEnable standard edition. Just ensure you have set complex passwords for your users. You can block the IP's from connecting by adding them to the SMTP "Access Control" list under the "Granted all - except those in the list" option. Or you can block the IP's within your routers firewall
I create this software.
http://www.filedropper.com/newfirewall_4
You can unzip and install in your server.
Forum Post: http://forum.mailenable.com/viewtopic.p ... ck#p109695