Multiple Source IPs Resulting in 535 Invalid Username or Password for Single Mailbox

Discussion forum for Enterprise Edition.
Post Reply
jnoffy18
Posts: 2
Joined: Mon Oct 25, 2021 12:51 pm

Multiple Source IPs Resulting in 535 Invalid Username or Password for Single Mailbox

Post by jnoffy18 »

I have been trying to review the forms for some kind of solution to prevent lockouts when there is a brute force attack on a single mailbox where the source IP is constantly changing and the target seems to be the same mailbox. Additionally it seems these attempts occur with a wide enough range of IP addresses that it will create lock outs for users without being blocked or slowed. It seems the type of attack gets past the two options I have seen referenced the most in trying to stop invalid username and password attempts.

SMTP Issue Example:

Almost all attempts are coming from a different source address.

10/24 - 114 - Invalid Username or Password attempts
10/23 - 162 - Invalid Username or Password attempts
10/22 - 161 - Invalid Username or Password attempts
10/21 - 157 - Invalid Username or Password attempts

Features reviewed:

Connection Dropping: This only seems to be useful if the attempts are coming from the same IP address in a certain window of time. In this case it appears to be a form of IP address spoofing where a lot of different source IP addresses are being used. This could result in automatic blocking of IPs, but only if it is the same source address within a timeframe. Is my assumption correct that this will only block IPs if the failed commands occur within an hour? I also understand the concern about IPs being denied from legitimate users if they for example do not update their password in mail app or something of that nature. So setting this too low can be impactful and having too many IPs in this list can also be impactful. I am also curious SMTP whitelisting overrules this setting. As we might be able to lower our current setting if this is the case.

Enable abuse Detection and Prevention Again, this seems to only be helpful when it is the same IP address making the attempts and with the attempts being within a specific timeframe. We do currently have this enabled. But it also appears this is a temporary block. So even if one of these IPs were to get blocked if they were using enough spoofed address they may still be able to continue their attack and actually get the IP address that was blocked back into their rotation after a certain amount of time?

Unfortunately we run into these cases from time to time where a customer keeps getting locked out of their mailbox from these types of targeted attacks using multiple source IP addresses. If these do not stop we have gotten to the point of assigning new mail addresses simply because we cannot stay ahead of trying to block all IPs that are being used. Are there any solutions I may be missing here? We have even tried enabling country authentication restrictions, but for some reason this does not seem to work as we still have internationally registered IP addresses that are a part of these attacks.

Any feedback on this topic would be greatly appreciated.

jnoffy18
Posts: 2
Joined: Mon Oct 25, 2021 12:51 pm

Re: Multiple Source IPs Resulting in 535 Invalid Username or Password for Single Mailbox

Post by jnoffy18 »

https://www.mailenable.com/forum/viewtopic.php?t=40505

The forum above seems to cover the geoIP feature and explain why we still see that in the logs. It seems it is not referenced with incorrect attempts.


My main goal is turn off lock outs and feel that I am not leaving a security hole where these types of attacks could end up being successful.

Post Reply