Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Many Login Attempts over SMTP -- Do you see the same in your environments?

Daniel Nashed  4 July 2013 18:19:49


A while ago I noticed a lot of connections from hosts not delivering any message.
Looking into the logs I figured out that there are hosts trying to authenticate even my server has authenticated SMTP disabled.
They are opening many sessions at the same time trying to brute-force passwords.

Because authentication is disabled this is not really a security issue but blocks sessions for other servers and fills the logs.

I have created some new rules to block those requests directly in the connect state.
And I have also changed some settings that block servers with have already send many SPAM or have been blacklisted manually in the IP/Domain Cache database.

So beside that I am temporary denying connections if a server connects in 3 seconds or less intervals (and the server is not one of the hosts that already sent many good messages).

The change seems to have positive effect on the number of connects I get from those hosts.

Let me know if you see similar issues. If you are a SpamGeek user and if you want to test my new settings drop me a mail. I can send you my configuration changes.

-- Daniel

Comments

1Miguel Angel Calvo  05.07.2013 12:54:27  Many Login Attempts over SMTP -- Do you see the same in your environments?

Same here Daniel.

Public Domino servers are getting tons of SMTP connections trying to authenticate. These servers have SMTP authentication enabled.

The attacks are not Domino targeted as they don't try the usual accounts.

For small companies on Windows we designed a procedure to filter IPs at O.S. level.

{ Link }

2florian vogler  05.07.2013 13:54:25  Many Login Attempts over SMTP -- Do you see the same in your environments?

Same here: observed smtp auth attacks not just in our infrastructure; we therefore built a sensor for detecting such attacks into our monitoring solution GreenLight - preventing/filtering such attacks is certainly the better approach in the first place.

3Ninke Westra  08.01.2014 17:56:56  Many Login Attempts over SMTP -- Do you see the same in your environments?

I've seen the same.

I've added an agent to the spamgeek log database to check for the failed authentication attempts and then add the ip to iptables to drop all connections.

And yes I am interested in your rules as well.

4Maxim D  07.05.2017 14:37:13  Many Login Attempts over SMTP -- Do you see the same in your environments?

I would like to know about this settings. If it possible :)

5Justin chuck  01.06.2020 3:50:23  Many Login Attempts over SMTP -- Do you see the same in your environments?

I've see the same. I also wish to join spamgeek group to try it out. My company only have 3 users.

Links

    Archives


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]