Fighting Hackers

Discussion forum for Enterprise Edition.
PMad
Posts: 54
Joined: Thu Oct 18, 2012 6:19 pm

Fighting Hackers

Post by PMad » Wed Nov 30, 2016 4:23 pm

Hello,

I know these issues have come up a million times but i've yet to find an answer in any of those threads or anywhere else. Before i go any further, here's a snippet of the SMTP activity log that is in question (i've changed my domain to local.server in the log, i've also taken out the long name for what i believe is the filename and left the .MAI to help reduce clutter and have added spaces in between each new connection to make it more readable):

11/30/16 01:20:03 SMTP-IN .MAI 1812 72.92.83.210 220 local.server ESMTP MailEnable Service, Version: 9.51--9.51 ready at 11/30/16 01:20:03 0 0
11/30/16 01:20:04 SMTP-IN .MAI 1812 72.92.83.210 EHLO EHLO 192.168.0.90 250-local.server [72.92.83.210], this server offers 7 extensions 181 19
11/30/16 01:20:04 SMTP-IN .MAI 1812 72.92.83.210 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
11/30/16 01:20:05 SMTP-IN .MAI 1812 72.92.83.210 AUTH {blank} 334 UGFzc3dvcmQ6 18 14 customers
11/30/16 01:20:05 SMTP-IN .MAI 1812 72.92.83.210 AUTH MTIz 535 Invalid Username or Password 34 6 customers

11/30/16 01:20:06 SMTP-IN .MAI 1784 72.92.83.210 220 local.server ESMTP MailEnable Service, Version: 9.51--9.51 ready at 11/30/16 01:20:06 0 0
11/30/16 01:20:07 SMTP-IN .MAI 1784 72.92.83.210 EHLO EHLO 192.168.0.141 250-local.server [72.92.83.210], this server offers 7 extensions 181 20
11/30/16 01:20:07 SMTP-IN .MAI 1784 72.92.83.210 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
11/30/16 01:20:08 SMTP-IN .MAI 1784 72.92.83.210 AUTH {blank} 334 UGFzc3dvcmQ6 18 22 administrator
11/30/16 01:20:08 SMTP-IN .MAI 1784 72.92.83.210 AUTH MTIz 535 Invalid Username or Password 34 6 administrator

11/30/16 01:20:09 SMTP-IN .MAI 1564 72.92.83.210 220 local.server ESMTP MailEnable Service, Version: 9.51--9.51 ready at 11/30/16 01:20:09 0 0
11/30/16 01:20:09 SMTP-IN .MAI 1564 72.92.83.210 EHLO EHLO 192.168.0.63 250-local.server [72.92.83.210], this server offers 7 extensions 181 19
11/30/16 01:20:10 SMTP-IN .MAI 1564 72.92.83.210 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
11/30/16 01:20:11 SMTP-IN .MAI 1564 72.92.83.210 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 test
11/30/16 01:20:11 SMTP-IN .MAI 1564 72.92.83.210 AUTH MTIz 535 Invalid Username or Password 34 6 test

11/30/16 01:20:12 SMTP-IN .MAI 1132 72.92.83.210 220 local.server ESMTP MailEnable Service, Version: 9.51--9.51 ready at 11/30/16 01:20:12 0 0
11/30/16 01:20:12 SMTP-IN .MAI 1132 72.92.83.210 EHLO EHLO 192.168.0.29 250-local.server [72.92.83.210], this server offers 7 extensions 181 19
11/30/16 01:20:13 SMTP-IN .MAI 1132 72.92.83.210 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
11/30/16 01:20:14 SMTP-IN .MAI 1132 72.92.83.210 AUTH {blank} 334 UGFzc3dvcmQ6 18 18 postmaster
11/30/16 01:20:14 SMTP-IN .MAI 1132 72.92.83.210 AUTH MTIz 535 Invalid Username or Password 34 6 postmaster

11/30/16 01:20:15 SMTP-IN .MAI 1708 72.92.83.210 220 local.server ESMTP MailEnable Service, Version: 9.51--9.51 ready at 11/30/16 01:20:14 0 0
11/30/16 01:20:15 SMTP-IN .MAI 1708 72.92.83.210 EHLO EHLO 192.168.0.216 250-local.server [72.92.83.210], this server offers 7 extensions 181 20
11/30/16 01:20:16 SMTP-IN .MAI 1708 72.92.83.210 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
11/30/16 01:20:17 SMTP-IN .MAI 1708 72.92.83.210 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 admin
11/30/16 01:20:17 SMTP-IN .MAI 1708 72.92.83.210 AUTH MTIz 535 Invalid Username or Password 34 6 admin
So in total there is over 500 connection attempts from this IP address, all within a pretty short period of time. They have tried to login with MANY different accounts. They are clearly using a brute force dictionary attack, one username at a time, one password at a time. After they go through their list of usernames and the first password they repeat the list with new passwords for each account. The end result is that they lock out all accounts they've tried that are valid, and thats it. One of those accounts happens to be mine. I'm locked out multiple times a day from my own server. Just about every time i want to check my mail, i have to go unlock my account first.

Here are the concerns;

1) In my SMTP settings, connection dropping is on and set to 4 failed attempts. Now the commands i see are valid but the setting also refers to recipients, should MailEnable add login users to this as well so that if an IP fails to login with X amount (in my case 4) of user accounts they are added to the denied IP list?

2) In the localhost settings under policies, "Enable Abuse Detection and Prevention" is turned on. The option specifies password dictionary attacks which is exactly whats happening, yet i have over 500 failed attempts on 100 accounts in just a few minutes from the same IP address and they are still connecting and trying more accounts later from the same IP, and the next day from the same IP. Is this feature broken? I have had this issue since MailEnable 6.

3) On the same screen as #2, i have enabled the setting to lock out a user for one hour after 4 failed login attempts. Is this setting by username or IP address? And is there a way to see a list of locked out users (whether actual accounts or not)? My assumption is that this goes by username and not IP because of the mass amounts of attempts i see.

For each issue above, is it possible to have options/features added to make these filters more flexible? I believe that spam and security are the two biggest issues that email servers have, and i'm feeling like MailEnable has been a bit inadequate on these types of options. It doesnt help either that these options are spread all over the place either, but it makes complete sense that they are located where they are at.

I currently have a list that i've been managing for years that has over 5000 IP addresses on it that i've manually added day after day, blocking the IP addresses of those spamming my server. I know this list is almost entirely useless, and likely every IP address on that list that is older than a few days should be removed, but i've been manually going through the logs and blocking the IP addresses of each person using dictionary attacks in the MMC snap in called "IP Security Policies on Local Computer" because there are no other options within MailEnable to stop these attackers. 98% of my logs are filled with these failed login attempts. Every few page down's i'll see a few lines for an email that has come in or a legitimate login or something but its page after page after page of failed login attempts. What can I do?

rfwilliams777
Posts: 1312
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Fighting Hackers

Post by rfwilliams777 » Fri Jan 13, 2017 10:03 pm

Does the actual abuse (the one with repeated attempts) seem to come from the same class C IP address? Does it appear to come from a specific geography? You can enable the Windows firewall to help with these attacks from these ideas.
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

telecomputers
Posts: 43
Joined: Sat Dec 04, 2004 3:59 pm

Re: Fighting Hackers

Post by telecomputers » Wed Feb 01, 2017 8:53 pm

I read somewhere recently that you should NOT have BOTH Connection Dropping and Abuse Detection and Prevention on at the same time.

Perhaps someone from ME can confirm this?

When I read this I wondered why ME does not have a text warning next to both these options in the backend to alert people.
We had both turned on and were having problems - we turned off the Abuse Detection and Prevention and had no more issues. Sorry I do not recall the specific details of the problems we were having I just remember being advised not to have them both running.

I am going to put this into the suggestion area right now.
j@mes

MEpro 9.61
JAM Software - SpamAssassin in a Box
ClamAV / Sanesecurity

PMad
Posts: 54
Joined: Thu Oct 18, 2012 6:19 pm

Re: Fighting Hackers

Post by PMad » Fri Feb 03, 2017 11:26 pm

rfwilliams777 wrote:Does the actual abuse (the one with repeated attempts) seem to come from the same class C IP address? Does it appear to come from a specific geography? You can enable the Windows firewall to help with these attacks from these ideas.
My list contains classes A, B, and C IP addresses, no multicast IP's are there, but I've by no means added all offending IP addresses, and even worse I believe most of these IP's are spoofed.

I believe many of the (brute force?) attacks are the same person or group, there's a very common pattern that isnt often broken. There are typically X amount of attempts on one IP address, one attempt per username at a time. After X attempts fail (probably the same password attempt for each?) it almost instantly switches to a new IP address where those same X amount of attempts are tried again, typically on the same set of users. If MailEnable's abuse detection checked against the IP address as well as the username and gave the user an option to block offending IP's for a specified amount of time, this would be a wonderful solution! Since they are spoofed, no administrator would want to permanently block the IP, only for maybe 2-6 hours after 3-10 failed attempts (imo).

I did come across something that I was unaware of but is apparently quite common is attacks from a host named "ylmf-pc". I've not yet blocked it but as soon as I discovered that about half of my attacks were coming from them, they vanished...
11/29/16 00:23:18 SMTP-IN .MAI 1564 101.78.231.28 220 my.domain ESMTP MailEnable Service, Version: 9.51--9.51 ready at 11/29/16 00:23:18 0 0
11/29/16 00:23:19 SMTP-IN .MAI 1564 101.78.231.28 EHLO EHLO ylmf-pc 250-my.domain [101.78.231.28], this server offers 7 extensions 182 14
11/29/16 00:23:19 SMTP-IN .MAI 1564 101.78.231.28 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
11/29/16 00:23:19 SMTP-IN .MAI 1564 101.78.231.28 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 temp
11/29/16 00:23:19 SMTP-IN .MAI 1564 101.78.231.28 AUTH dGVtcA== 535 Invalid Username or Password 34 10 temp
I need to figure out how to block that just in case they start coming back, but you can see in the middle of the 2nd line where it says "EHLO ylmf-pc" which with some internet research seems to be notoriously linked to nothing but bad things. Whatever that is or was, they had several thousand attempts each day, then they started spreading out and some days they would try, others they wouldn't, some days they would try harder than others. Maybe they gave up on my server? I hope so!
telecomputers wrote:I read somewhere recently that you should NOT have BOTH Connection Dropping and Abuse Detection and Prevention on at the same time.

Perhaps someone from ME can confirm this?

When I read this I wondered why ME does not have a text warning next to both these options in the backend to alert people.
We had both turned on and were having problems - we turned off the Abuse Detection and Prevention and had no more issues. Sorry I do not recall the specific details of the problems we were having I just remember being advised not to have them both running.

I am going to put this into the suggestion area right now.
I hope we can find out soon, also the reasoning behind it. It would seem to me like its just extra layers of protection that wouldn't conflict, but maybe I'm wrong?

PMad
Posts: 54
Joined: Thu Oct 18, 2012 6:19 pm

Re: Fighting Hackers

Post by PMad » Fri Feb 03, 2017 11:30 pm

Apparently I did block this and completely forgot. I used EHLO blocking in the SMTP properties > Security Tab > Configure Blocks. No wonder they disappeared! :lol:

tomr
Posts: 48
Joined: Wed Apr 09, 2008 9:58 pm

Re: Fighting Hackers

Post by tomr » Mon Feb 13, 2017 9:27 pm

I have the exact "EHLO ylmf-pc" using serveral ipaddress daily. I use RDP Guard to block the IPaddress.

-tomr

telecomputers
Posts: 43
Joined: Sat Dec 04, 2004 3:59 pm

Re: Fighting Hackers

Post by telecomputers » Mon Feb 13, 2017 11:52 pm

Why not just block YLMF-PC at the HELO block?

SMTP Properties
Security TAB
Configure Blocks (at the bottom).

No need to block IP addresses if the HELO is blocked.
j@mes

MEpro 9.61
JAM Software - SpamAssassin in a Box
ClamAV / Sanesecurity

tomr
Posts: 48
Joined: Wed Apr 09, 2008 9:58 pm

Re: Fighting Hackers

Post by tomr » Tue Feb 14, 2017 12:32 am

I did. But RDP blocks ip addresses automatically and hackers/spammers change computers and IP addresses all the time so I like the automatic block.

Now, parsing the log files for ehlo and failed logins sounds like a good idea for automatic blocking, hmmm...

siteffect
Posts: 16
Joined: Mon Feb 13, 2017 11:18 am

Re: Fighting Hackers

Post by siteffect » Mon Feb 20, 2017 5:48 pm

I blocked

ylmf-pc
bonton-agency.ru
BLUE.home
ADMIN

Any others I need to block to fight spammers and password seekers ?

PMad
Posts: 54
Joined: Thu Oct 18, 2012 6:19 pm

Re: Fighting Hackers

Post by PMad » Mon Feb 20, 2017 8:48 pm

I have the same issue is tomr, even though i have the ylmf-pc blocked, but thats not the only attacker, there are several others with varying EHLO/HELO names after it.

It seems as though the computer name after EHLO/HELO commands, the IP addresses, and the usernames they login with are completely random. The attempts happen again and again and again until the legitimate accounts are blocked.

If I manually block the IP address, i'll see connection attempts for the rest of the day and sometimes a day or two later, but they are clearly spoofing IP addresses, so I assume they are spoofing computer names too. The best way that I can think of to block these is to have something that will block failed connection attempts by IP address. ME would count each consecutive failed login attempt by the IP address rather than the username, so lets say users are locked out after 5 failed login attempts, and this bot is set to try 5 passwords on an account before trying a different login. And lets say this setting is set to 7, so somebody with 7 failed login attempts would be banned for lets say 48 hours. This attacker would lock the first account, and after 2 attempts on the second account, the IP address would be banned for 48 hours. This would be helpful, not a solution but helpful.

Something else to go along with that, that could be useful is another running service that would do an IP Trace on each IP address that is blocked. This would temporarily block the offending IP address but permanently block the traced IP. Server admins could have an option that would delay every login attempt because its doing an IP Trace on every IP that tries to login as a way to help fight it and slow down the login attempts (this would be made more for smaller businesses and users of ME because of the resource costs and whatnot, but it would be nice).

There's really nothing i've found that works at all. They just keep on hackin, and i keep on unlocking my own account.

telecomputers
Posts: 43
Joined: Sat Dec 04, 2004 3:59 pm

Re: Fighting Hackers

Post by telecomputers » Tue Feb 21, 2017 4:27 am

Hey siteffect -

There is another thread about this going on - title is:
EHLO Blocking - HELO *.*

Hope this helps -
j@mes

MEpro 9.61
JAM Software - SpamAssassin in a Box
ClamAV / Sanesecurity

siteffect
Posts: 16
Joined: Mon Feb 13, 2017 11:18 am

Re: Fighting Hackers

Post by siteffect » Tue Feb 21, 2017 5:31 am

HELO *.* not sure, we have legitimate connection with that command ... why do you think so ?

siteffect
Posts: 16
Joined: Mon Feb 13, 2017 11:18 am

Re: Fighting Hackers

Post by siteffect » Tue Feb 21, 2017 5:35 am

Blocking IP addresses on SMTP would be a good solution.
The best way that I can think of to block these is to have something that will block failed connection attempts by IP address. ME would count each consecutive failed login attempt by the IP address rather than the username, so lets say users are locked out after 5 failed login attempts, and this bot is set to try 5 passwords on an account before trying a different login. And lets say this setting is set to 7, so somebody with 7 failed login attempts would be banned for lets say 48 hours. This attacker would lock the first account, and after 2 attempts on the second account, the IP address would be banned for 48 hours. This would be helpful, not a solution but helpful.
Is this something that could be implemented in a next version ?

telecomputers
Posts: 43
Joined: Sat Dec 04, 2004 3:59 pm

Re: Fighting Hackers

Post by telecomputers » Wed Feb 22, 2017 10:22 pm

Hey siteffect -

There is another thread about this going on - title is:
EHLO Blocking - HELO *.*

I did not make this statement to start a conversation about "EHLO Blocking - HELO *.*" - I was simply telling you to do a search for this title here in the forum to FIND the other thread where that conversation has been on going.
j@mes

MEpro 9.61
JAM Software - SpamAssassin in a Box
ClamAV / Sanesecurity

tomr
Posts: 48
Joined: Wed Apr 09, 2008 9:58 pm

Re: Fighting Hackers

Post by tomr » Thu Feb 23, 2017 9:04 pm

Interesting reading on the web for ylmf-pc they have been at this for a few years. They are persistent bastards.

Post Reply