Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Many Login Attempts over SMTP -- Do you see the same in your environments?

Daniel Nashed  4 July 2013 16:19:49


A while ago I noticed a lot of connections from hosts not delivering any message.
Looking into the logs I figured out that there are hosts trying to authenticate even my server has authenticated SMTP disabled.
They are opening many sessions at the same time trying to brute-force passwords.

Because authentication is disabled this is not really a security issue but blocks sessions for other servers and fills the logs.

I have created some new rules to block those requests directly in the connect state.
And I have also changed some settings that block servers with have already send many SPAM or have been blacklisted manually in the IP/Domain Cache database.

So beside that I am temporary denying connections if a server connects in 3 seconds or less intervals (and the server is not one of the hosts that already sent many good messages).

The change seems to have positive effect on the number of connects I get from those hosts.

Let me know if you see similar issues. If you are a SpamGeek user and if you want to test my new settings drop me a mail. I can send you my configuration changes.

-- Daniel

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]