Invalid Email Account Login Attempts

Discussion forum for Enterprise Edition.
Ptarver
Posts: 14
Joined: Thu Nov 01, 2007 5:28 pm

Invalid Email Account Login Attempts

Post by Ptarver »

This may be covered elsewhere in this forum, but I've not been able to figure out how to find a solution or at least a suggestion, so I thought I'd post here and see if anyone could help.

I've been running MailEnable Enterprise for about 10 years now and we are up to Version 6.x (looking to move to 8.5 later this year!). Anyway, the one thing that I see on a daily basis that I cannot seem to figure out how to prevent or minimize is the number of SMTP attacks we see on email accounts that do not exist. For example, we have the lock-out policy in place for 7 failed login attempts, but that only works on email accounts that actually exist on the server. But we sometimes see thousands of attempts via dictionary attacks to login to email accounts that are invalid.

The easiest thing to say is "Hey, those accounts don't exist anyway so the hacker can't possibly break-in to the server via those accounts." And you would be right to say that, BUT that line of thinking doesn't take into account a negative hack. Let me explain: Let's assume that you have a domain configured with 20 or so email addresses. So a hacker finds the website, then attempts to connect to the mail server and now he knows the domain has an active web server. Next, the hacker begins to hit random accounts like contactus@somedomain.com or info@somedomain.com. His method is to try to use these email addresses to authenticate and the first thing he notices is that when he tries a real account like support@somedomain.com, he gets locked out, but he never gets locked out of the invalid accounts. So, now he begins to build a list of potentially valid email addresses to try against the server. Once he obtains a short list of confirmed valid accounts, with a known lockout policy number (confirmed via testing), he can then apply a systematic approach toward hacking those valid accounts.

It seems to me that all of this could be prevented if MailEnable would treat failed login attempts the same whether the person was trying to login to a valid account or an invalid account. A side benefit to this approach is a significant reduction in server load for MailEnable in fielding huge numbers of login attempts on invalid email accounts.

Is there setting in MailEnable to activate this behavior and perhaps I'm just using the wrong terminology or does anyone have any other ideas?

Thanks!
Paul Tarver
Tarver Program Consultants, Inc.

rfwilliams777
Posts: 1370
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Invalid Email Account Login Attempts

Post by rfwilliams777 »

Go to the localhost Properties. Check the box for "Enable Abuse Detection and Prevention". If version 6.x doesn't have it, upgrade. I would recommend to avoid issues to turn off (disable) the account lockout that you suggested.
Robert Williams, Owner
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!

PMad
Posts: 60
Joined: Thu Oct 18, 2012 6:19 pm

Re: Invalid Email Account Login Attempts

Post by PMad »

I am wondering about this same issue myself.

I have attempts going non stop 24/7 from people trying to login to accounts on my server (most of which don't exist). I have an enormous list of IP addresses from somebody trying to login to my server with invalid email addresses. In fact, here's a list from just the last 30 minutes before I came here seeking a solution:

109.190.67.128
109.202.9.80
41.224.253.236
58.137.224.102
58.137.224.98
59.126.81.88
62.219.139.39
80.153.119.29
81.149.56.18
81.198.214.48
85.52.165.157
86.128.241.221
87.106.97.54
89.137.17.19
91.81.64.210
94.20.114.43
95.9.110.101

Each IP address was used many times. I do have the "Enable Abuse Detection and Prevention" box checked and IP addresses are being blocked for 1 hour after 5 failed attempts. My logs are scattered with 5 attempts in a row by thousands of different names coming from thousands of different IP addresses over the past few years.

My original thought was to block the range of IP addresses dedicated to that service provider, i.e. 192.168.0.0 to 192.168.255.255. This is a terrible solution since the hackers are either spoofing their IP addresses, using proxy's around the world, or utilizing previously hacked computers to make the connections. These are ranges of IP addresses that could potentially block legitimate emails coming in. This is the case even if i block a single IP address as one of them in the past has come in as 8.8.8.8 which is a Google DNS server, but it was not Google, it was somebody trying to login as "bob1".

So then i thought, is there a way to block these IP addresses only from logging in and not from sending emails? I cannot find this sort of option anywhere. Does this functionality exist or is there another way to prevent these hackers from trying to login? I'm quite sure that they are using a script or an application that makes these connection attempts, so there may be some tricky way to send a 404 error and make the hacker think the site doesn't exist and remove of from their list of "Sites to Hack". I don't know, i need a solution badly. Its only a matter of time until one of their attempts is actually successful, and i wont know this until i check the logs but a successful attempt i can rarely identify as valid or not. I'm not even looking at successful attempts. They might already have made it in!

If somebody is using a proxy to connect, would a tracert track it back to their actual IP address and bypass the proxy? Connections would take a couple seconds longer but myself and my users would not mind it. With that sort of option, if it works (not sure how anonymous proxies would deal with this), the real IP address could be used as the identifier and blocked that way.

tmorg
Posts: 64
Joined: Tue Aug 12, 2008 7:43 pm
Location: USA

Re: Invalid Email Account Login Attempts

Post by tmorg »

This is an older post but thought I'd piggy back with a similar issue. I have an Ex account that is hitting the server over and over thousands of times. I've trued a filter to block, abuse setting but it still shows in the log file as failed attempt. Any help appreciated.

I 764 75.224.205.196 AUTH {blank} 334 UGFzc3dvcmQ6 18 34 joey.lopez@domain.com
01/28/15 21:25:51 SMTP-IN F61F4AD34CC84580AB38B78BA567934F.MAI 764 75.224.205.196 AUTH d2VsY29tZQ== 504 Invalid Username or Password 34 14 joey.lopez@domain.com
01/28/15 21:25:51 SMTP-IN ADFA2AF08E3D41E587CAEEBBF08F33C8.MAI 744 75.224.205.196 220 domain.com ESMTP MailEnable Service, Version: 8.58--8.58 ready at 01/28/15 21:25:51 0 0
01/28/15 21:25:52 SMTP-IN ADFA2AF08E3D41E587CAEEBBF08F33C8.MAI 744 75.224.205.196 EHLO EHLO localhost 250-domain.com [75.224.205.196], this server offers 6 extensions 164 16
01/28/15 21:25:52 SMTP-IN ADFA2AF08E3D41E587CAEEBBF08F33C8.MAI 744 75.224.205.196 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
01/28/15 21:25:52 SMTP-IN ADFA2AF08E3D41E587CAEEBBF08F33C8.MAI 744 75.224.205.196 AUTH {blank} 334 UGFzc3dvcmQ6 18 34 joey.lopez@domain.com
01/28/15 21:25:52 SMTP-IN ADFA2AF08E3D41E587CAEEBBF08F33C8.MAI 744 75.224.205.196 AUTH d2VsY29tZQ== 504 Invalid Username or Password 34 14 joey.lopez@domain.com
01/28/15 21:25:53 SMTP-IN F44CC3D8E85E4E558C2DC822D81F9253.MAI 856 75.224.205.196 220 domain.com ESMTP MailEnable Service, Version: 8.58--8.58 ready at 01/28/15 21:25:53 0 0
01/28/15 21:25:53 SMTP-IN F44CC3D8E85E4E558C2DC822D81F9253.MAI 856 75.224.205.196 EHLO EHLO localhost 250-domain.com [75.224.205.196], this server offers 6 extensions 164 16
01/28/15 21:25:53 SMTP-IN F44CC3D8E85E4E558C2DC822D81F9253.MAI 856 75.224.205.196 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
01/28/15 21:25:54 SMTP-IN F44CC3D8E85E4E558C2DC822D81F9253.MAI 856 75.224.205.196 AUTH {blank} 334 UGFzc3dvcmQ6 18 34 joey.lopez@domain.com
01/28/15 21:25:54 SMTP-IN F44CC3D8E85E4E558C2DC822D81F9253.MAI 856 75.224.205.196 AUTH d2VsY29tZQ== 504 Invalid Username or Password 34 14 joey.lopez@domain.com
01/28/15 21:25:55 SMTP-IN E45B7A0645284BDDA132E3AF42D1B452.MAI 740 75.224.205.196 220 domain.com ESMTP MailEnable Service, Version: 8.58--8.58 ready at 01/28/15 21:25:55 0 0
01/28/15 21:25:55 SMTP-IN E45B7A0645284BDDA132E3AF42D1B452.MAI 740 75.224.205.196 EHLO EHLO localhost 250-domain.com [75.224.205.196], this server offers 6 extensions 164 16
01/28/15 21:25:55 SMTP-IN E45B7A0645284BDDA132E3AF42D1B452.MAI 740 75.224.205.196 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
01/28/15 21:25:56 SMTP-IN E45B7A0645284BDDA132E3AF42D1B452.MAI 740 75.224.205.196 AUTH {blank} 334 UGFzc3dvcmQ6 18 34 joey.lopez@domain.com
01/28/15 21:25:56 SMTP-IN E45B7A0645284BDDA132E3AF42D1B452.MAI 740 75.224.205.196 AUTH d2VsY29tZQ== 504 Invalid Username or Password 34 14 joey.lopez@domain.com

Brett Rowbotham
Posts: 560
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: Invalid Email Account Login Attempts

Post by Brett Rowbotham »

You can try something like this:

http://forum.mailenable.com/viewtopic.php?f=4&t=27469

Cheers,
Brett

PMad
Posts: 60
Joined: Thu Oct 18, 2012 6:19 pm

Re: Invalid Email Account Login Attempts

Post by PMad »

Brett Rowbotham wrote:You can try something like this:

http://forum.mailenable.com/viewtopic.php?f=4&t=27469

Cheers,
Brett

I like the idea but there's a couple problems with it. First, it doesnt unblock them after X amount of time, which it needs to due to the second reason, which is the IP addresses. When scanning my logs, i'll find that the IP address used is typically for 1 attempted user account. It will try 5 times before being blocked for awhile, Once blocked, i rarely ever see that IP address being used again.

There's got to be a better way somewhere... :?:

PMad
Posts: 60
Joined: Thu Oct 18, 2012 6:19 pm

Re: Invalid Email Account Login Attempts

Post by PMad »

I'm wondering, is there a way to add a fairly simple CAPTCHA to the login page? That probably wouldnt work because if it was forced, then mobile users couldnt login with Android apps and hackers could just attempt to connect using a non-web based protocol.

What about authentication similar to a bank. Except some of the security behind it would be global. For example: When trying to login, it will store your IP address. When trying to login from an IP address outside of that subnet, you would be prompted for some extra authentication, something brute force will most likely not break. Failing that authentication would lock the account and force the user to call tech support or whoever is in charge of the account's. After so long, the admin could lock the server down so that connections outside of the subnets used by all users would be blocked. If a user tries to connect outside of that subnet, they would have an option to email the admin or live chat or call. That could get them the correct authentication to add that subnet to the allowed list (or whitelist).

I havent ever seen anything like that done before so im assuming Mailenable doesnt have it. If anyone from Mailenable reads this, can the idea be passed to engineers? Only if others dont tear it apart as a terrible idea anyway... :D

rfwilliams777
Posts: 1370
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Invalid Email Account Login Attempts

Post by rfwilliams777 »

Your idea has merit...provided ME was used within same network (so to speak) with the server. But hosting providers like myself who have hundreds of users literally around the world accessing the mail server with multiple methods at any given time, I need it fairly wide open as per ports necessary. All other ports are closed on the server.
Robert Williams, Owner
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!

Ehenzel1978
Posts: 98
Joined: Mon Dec 31, 2012 4:48 pm
Location: Leland, NC 28451

Re: Invalid Email Account Login Attempts

Post by Ehenzel1978 »

I have similar problems on my server, and we host only ourselves with about 3 dozen email addresses. Yet, I still see hundreds of attempts by hackers to login in using both invalid addresses and valid addresses they have been able to figure out. I block all the ip's that fail attempts to invalid addresses and have a lockout after 5 attempts on the valid ones. If someone's address gets locked out, and it happens a couple of times a week, they have to call me and I unlock it.

I have tried multiple configurations and methods, but I always end up causing more headaches for my users than I do for the hackers.

Blocking the IP's that attack invalid addresses doesn't seem to do much good because the hackers rarely use the same IP twice, but I still carry on with it because there isn't much else to do.

I have actually had to have a few users change their addresses entirely because hackers got in, and once they get in once, they try almost continuously to get in again. The problem got so bad around the Christmas holidays that my server actually started to lag from the amount of bandwidth and processor time being used by the hackers trying to get in.

I have looked for years to try and find a way to stop this, on both MailEnable and with Exchange servers, and have yet to find a way that works. Most of the time, I end up making it nearly impossible for actual users to log in, while the hackers just continue on as usual.

If anyone actually came up with a way to help, they would revolutionize the email server industry. But, as a wise man said once "If it was easy, everyone would do it."

I don't think that there is anything that can be done to put a stop to it. Complex password requirements, strict lockout policies, and vigilance by the email administrator can keep the impact to a minimum, but I think that is really the best we can hope for.

I apologize for the long and somewhat whining post, but I hope that this lets everyone here know they are not alone in this.
Eric Henzel
IT Department
Leather Italia USA

rfwilliams777
Posts: 1370
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Invalid Email Account Login Attempts

Post by rfwilliams777 »

BTW, if the same people are attempting to hack MailEnable are also attempting remote desktop access (you will have to review your Windows logs), then use RDP guard. It blocks all connections to the server and you can set it to however long you wish for it to continue to block.
Robert Williams, Owner
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!

PMad
Posts: 60
Joined: Thu Oct 18, 2012 6:19 pm

Re: Invalid Email Account Login Attempts

Post by PMad »

Is there a way to force mailenable to run a traceroute on every login attempt to try and block connections at the source IP rather than the random proxy IP's these hackers use? It would take a few extra seconds for each login attempt but that would decrease the amount of login attempts by hackers by putting a delay between each attempt, block them at the source (sometimes, but some is better than none!), and reduce the load on the server.

Or is there a way to do some sort of DNS check on the IP address and if it comes from a source other than an ISP, block it? (could be problematic but modifiable lists would be useful) For example, google has a DNS server at 8.8.8.8, if you check this one it comes up with the name google-public-dns-a.google.com, seeing that "google.com" is not a valid ISP (unless their fiber network uses it), it would be blocked. This site http://www.ipfingerprints.com/ is an example of that.

kimdobranski
Posts: 12
Joined: Thu Oct 25, 2012 5:30 pm

Re: Invalid Email Account Login Attempts

Post by kimdobranski »

I wrote a windows service I have been testing which scans the mail enable log and detects invalid login attempt and adds the IP to windows firewall for 15 minutes. After 15 minutes it unbans it. However, it watches the ip for 12 hours after and if it gets banned 3 times in the 12 hour period it permanently adds it to windows firewall. (these settings are all adjustable)

I have it on my server and has been running for about 4 months now and I have stopped about 1600 ips.

It also watches windows events and blocks rdp and sql login attempts and runs suspect IPs through the same procedure.

I have only tested it on Windows 2008 R2, but if anyone is interested I can supply you with it for you to try. I am eventually going to try and take it to market. The GUI is not designed yet but the service works fine. You can watch it manage IPs in the folders it uses to keep track of everything.

If you are interested feel free to PM me.

-Kim

rfwilliams777
Posts: 1370
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Invalid Email Account Login Attempts

Post by rfwilliams777 »

Does it also detect ports in the 50000 range?
Robert Williams, Owner
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!

PMad
Posts: 60
Joined: Thu Oct 18, 2012 6:19 pm

Re: Invalid Email Account Login Attempts

Post by PMad »

I still havent found a solution to this but I do have a simple feature request that could resolve this.

One way people are bypassing the protection is by trying hundreds of DIFFERENT names. So since they failed logging in as root, they try postgres, fail again and they try admin, fail again and they try another username, than another, than another, than another, etc.... The thing though is in many cases, its the same IP address. Thats the key!

The feature request is to block people who fail to login with any account X amount of times within X amount of time. I believe one term for this is Hammering. I'd like to have a setting where if a connection attempt fails 3 times within 30 seconds, the person is blocked for 10 minutes. If it happens again within 12 hours they are banned for 24 hours, and if it happens again within 24 hours after the ban they are permanently banned. That would be a great feature that would automatically do a majority of the banning that I'm forced to do on a daily basis.

I havent found any options that already to this. Has anyone else?

rfwilliams777
Posts: 1370
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Invalid Email Account Login Attempts

Post by rfwilliams777 »

MailEnable does block the IP address for up to 1 hour. Another way of doing it if it is the server is to use RDPGuard. Don't let the name fool you as it can block other forms of connections to the server. With this, you can set it up to block IP addresses for as long as you want before it auto dumps it.
Robert Williams, Owner
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!

Post Reply