IP addresses don't get added correctly to denied list

Discussion regarding the Standard version.
Post Reply
johnaquilio
Posts: 4
Joined: Sat Feb 27, 2021 3:55 am

IP addresses don't get added correctly to denied list

Post by johnaquilio »

In the "Connection Dropping" section under the "Security" tab, I have set it to "Drop a connection when the failed number of commands or recipients reaches" 3. In the log, I see that there have been repeated login attempts with different username choices from some IP addresses. All of those login attempts thankfully fail with "535+Invalid+Username+or+Password" error. But, I would have expected such IP addresses to get added to the "Denied" list. But, when I look at the SMTP-DENY.TAB file, I don't see those IP addresses getting added to the list.

Interestingly, some IP addresses occasionally do get added to that list. In a day, I saw 3 IP addresses having been added. But, looking at the log about failed login attempts, many more IP addresses should have been added. What could be the reason?

Thanks!

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: IP addresses don't get added correctly to denied list

Post by MailEnable-Ian »

Hi,

Have you verified that the same IP address failed to authenticate 3 times in the SMTP log files?
Regards,

Ian Margarone
MailEnable Support

johnaquilio
Posts: 4
Joined: Sat Feb 27, 2021 3:55 am

Re: IP addresses don't get added correctly to denied list

Post by johnaquilio »

Yes, I have.
Looking at the log for the last one hour alone, I see several spoofing attempts from some evil IP address (45.142.120.39) trying with different usernames such as opennms@ourDomain.com, shevchenko@ourDomain.com, wangjie@ourDomain.com, 1234@ourDomain.com, vika@ourDomain.com, wang@ourDomain.com, lxd@ourDomain.com, lucy@ourDomain.com, bind@ourDomain.com, cam@ourDomain.com, l1@ourDomain.com, ptest@ourDomain.com, etc.

Clearly, there have been many more failed attempts than the set limit of 3 from that IP address in the last one hour alone. But, that IP address has not been added to SMTP-DENY.TAB.

I would be happy to send you the one hour log file to you if you want to take a look.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: IP addresses don't get added correctly to denied list

Post by MailEnable-Ian »

Hi,

Ok send the log files at response@mailenable.com
Regards,

Ian Margarone
MailEnable Support

johnaquilio
Posts: 4
Joined: Sat Feb 27, 2021 3:55 am

Re: IP addresses don't get added correctly to denied list

Post by johnaquilio »

I emailed the log file to that email address.
Thanks!

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: IP addresses don't get added correctly to denied list

Post by MailEnable-Ian »

Hi,

Ok, thanks but we need the SMTP activity and debug log files.
Regards,

Ian Margarone
MailEnable Support

johnaquilio
Posts: 4
Joined: Sat Feb 27, 2021 3:55 am

Re: IP addresses don't get added correctly to denied list

Post by johnaquilio »

Emailed those log files as well.
Thanks.

itmarkb
Posts: 1
Joined: Tue Nov 02, 2021 11:57 am

Re: IP addresses don't get added correctly to denied list

Post by itmarkb »

Was there every a response to this? We're seeing the same problem, with hundreds of brute force attempts from the same IP addresses. Server is responding 535 Invalid Username or Password each time, but IP address isn't getting blocked.

Thanks.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: IP addresses don't get added correctly to denied list

Post by MailEnable-Ian »

Hi,

Do you have the "Abuse detection and prevention" option enabled?

https://www.mailenable.com/documentation/10.0/Enterprise/Localhost_-_Policies.html
Regards,

Ian Margarone
MailEnable Support

Post Reply