In the "Connection Dropping" section under the "Security" tab, I have set it to "Drop a connection when the failed number of commands or recipients reaches" 3. In the log, I see that there have been repeated login attempts with different username choices from some IP addresses. All of those login attempts thankfully fail with "535+Invalid+Username+or+Password" error. But, I would have expected such IP addresses to get added to the "Denied" list. But, when I look at the SMTP-DENY.TAB file, I don't see those IP addresses getting added to the list.
Interestingly, some IP addresses occasionally do get added to that list. In a day, I saw 3 IP addresses having been added. But, looking at the log about failed login attempts, many more IP addresses should have been added. What could be the reason?
Thanks!
IP addresses don't get added correctly to denied list
-
- Posts: 4
- Joined: Sat Feb 27, 2021 3:55 am
-
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: IP addresses don't get added correctly to denied list
Hi,
Have you verified that the same IP address failed to authenticate 3 times in the SMTP log files?
Have you verified that the same IP address failed to authenticate 3 times in the SMTP log files?
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support
-
- Posts: 4
- Joined: Sat Feb 27, 2021 3:55 am
Re: IP addresses don't get added correctly to denied list
Yes, I have.
Looking at the log for the last one hour alone, I see several spoofing attempts from some evil IP address (45.142.120.39) trying with different usernames such as opennms@ourDomain.com, shevchenko@ourDomain.com, wangjie@ourDomain.com, 1234@ourDomain.com, vika@ourDomain.com, wang@ourDomain.com, lxd@ourDomain.com, lucy@ourDomain.com, bind@ourDomain.com, cam@ourDomain.com, l1@ourDomain.com, ptest@ourDomain.com, etc.
Clearly, there have been many more failed attempts than the set limit of 3 from that IP address in the last one hour alone. But, that IP address has not been added to SMTP-DENY.TAB.
I would be happy to send you the one hour log file to you if you want to take a look.
Looking at the log for the last one hour alone, I see several spoofing attempts from some evil IP address (45.142.120.39) trying with different usernames such as opennms@ourDomain.com, shevchenko@ourDomain.com, wangjie@ourDomain.com, 1234@ourDomain.com, vika@ourDomain.com, wang@ourDomain.com, lxd@ourDomain.com, lucy@ourDomain.com, bind@ourDomain.com, cam@ourDomain.com, l1@ourDomain.com, ptest@ourDomain.com, etc.
Clearly, there have been many more failed attempts than the set limit of 3 from that IP address in the last one hour alone. But, that IP address has not been added to SMTP-DENY.TAB.
I would be happy to send you the one hour log file to you if you want to take a look.
-
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: IP addresses don't get added correctly to denied list
Hi,
Ok send the log files at response@mailenable.com
Ok send the log files at response@mailenable.com
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support
-
- Posts: 4
- Joined: Sat Feb 27, 2021 3:55 am
Re: IP addresses don't get added correctly to denied list
I emailed the log file to that email address.
Thanks!
Thanks!
-
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: IP addresses don't get added correctly to denied list
Hi,
Ok, thanks but we need the SMTP activity and debug log files.
Ok, thanks but we need the SMTP activity and debug log files.
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support
-
- Posts: 4
- Joined: Sat Feb 27, 2021 3:55 am
Re: IP addresses don't get added correctly to denied list
Emailed those log files as well.
Thanks.
Thanks.
Re: IP addresses don't get added correctly to denied list
Was there every a response to this? We're seeing the same problem, with hundreds of brute force attempts from the same IP addresses. Server is responding 535 Invalid Username or Password each time, but IP address isn't getting blocked.
Thanks.
Thanks.
-
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: IP addresses don't get added correctly to denied list
Hi,
Do you have the "Abuse detection and prevention" option enabled?
https://www.mailenable.com/documentation/10.0/Enterprise/Localhost_-_Policies.html
Do you have the "Abuse detection and prevention" option enabled?
https://www.mailenable.com/documentation/10.0/Enterprise/Localhost_-_Policies.html
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support