Thousands of AUTH LOGIN Attempts

Discussion regarding the Standard version.
Post Reply
ladyinmt
Posts: 6
Joined: Thu Sep 25, 2014 7:20 pm
Location: Missoula, MT

Thousands of AUTH LOGIN Attempts

Post by ladyinmt » Fri Jan 15, 2021 5:11 pm

Hi everyone,

I've tried to find existing posts regarding this issue I'm having but not having any luck finding the ultimately solution, so starting a new post!

I'm running an instance of Mail Enable Standard Edition 10.30 on one of our servers. I'm seeing a ton of AUTH LOGIN attempts using various usernames/passwords, and it's causing our log files to grow large very quickly! In reading through some of the other posts, it seems these authentication requests can be blocked, but I can't seem to find the setting. Is this because the security feature is available only though a different edition of ME, such as Professional? Here's an example of what I'm seeing:

01/14/21 00:00:10 SMTP-IN 4EC0DB0DEFEE4A1482D58CCADCE8081A.MAI 1704 45.142.120.60 EHLO EHLO localhost 250-pushpin-group.com [45.142.120.60], this server offers 5 extensions 245 16
01/14/21 00:00:10 SMTP-IN 4EC0DB0DEFEE4A1482D58CCADCE8081A.MAI 1704 45.142.120.60 RSET RSET 250 Requested mail action okay, completed 43 6
01/14/21 00:00:10 SMTP-IN 76CFB74FE4F84EEBB817139347FF8F85.MAI 1840 45.142.120.183 AUTH {blank} 334 UGFzc3dvcmQ6 18 42 youshimitsu@pushpin-group.com
01/14/21 00:00:10 SMTP-IN BFD72172A8BD46B8B75A3EE4C0CB3E3D.MAI 2168 45.142.120.90 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
01/14/21 00:00:10 SMTP-IN 4EC0DB0DEFEE4A1482D58CCADCE8081A.MAI 1704 45.142.120.60 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
01/14/21 00:00:10 SMTP-IN 4EC0DB0DEFEE4A1482D58CCADCE8081A.MAI 1704 45.142.120.60 AUTH {blank} 334 UGFzc3dvcmQ6 18 6 zzz
01/14/21 00:00:10 SMTP-IN 95D6A32C8AB14FC7B94F6AD12944FA9B.MAI 1808 45.142.120.87 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 novell
01/14/21 00:00:11 SMTP-IN 4EC0DB0DEFEE4A1482D58CCADCE8081A.MAI 1704 45.142.120.60 AUTH enp6MTIzNDU= 535 Invalid Username or Password 34 14 zzz

If someone can confirm:
1.) If it's possible to prevent these bogus authentication requests
and
2.) Where I find the setting to prevent them

I'd appreciate it! Happy to consider upgrading, if that's what it takes.

Thanks!

Heather Morris
dbridge inc.
Missoula, MT USA

adz
Posts: 18
Joined: Wed Jul 16, 2014 5:20 am

Re: Thousands of AUTH LOGIN Attempts

Post by adz » Fri Jan 22, 2021 2:21 am

Not sure about standard edition. The enterprise edition has
localhost -> Policies -> Properties

It can be sensitive but you can:

'Mailenable can be setup to block a user for 1 hour after X(5) failed login attempts
'One solution - Rely entirely on inbuilt blocking failed attempts. Use only very long passwords. Update passwords on server regularly and automatically each month. Allow user to 'obtain password on server change' & 'unblock their account'via .net WebServer on server using a specific password for that user. (use Mailenable.Administration.Login()). Ability to unblock. Not sure about how whitelisting IP's would affect this.

'You can enable Abuse Detection and Prevention 'localhost -> Policies -> Properties
'https://www.mailenable.com/kb/content/article.asp?ID=ME020610#:~:text=By%20default%20the%20abuse%20detection,10%20times%20within%20an%20hour.&text=You%20are%20able%20to%20prevent,it%20into%20the%20SMTP%20whitelist.
'By default the abuse detection in MailEnable will block a maximum of 200 different IP addresses for an hour, if they try to authenticate incorrectly more than 10 times within an hour.
'If you want to block more than 200 address you can edit the registry (bout you have to restart ME).

'The other alternative is to copy/read the daily log files occasionally. Determine failed attempts and add to a Windows Firewall Blocking Rule or intermediate proxy. 'http://www.mailenable.com/forum/viewtopic.php?f=4&t=27469

'It appears possible to block IP Addresses using SMTPAccess (registry set maximum of 200).
'http://www.mailenable.com/forum/viewtopic.php?f=4&t=27469
See also https://www.mailenable.com/forum/viewtopic.php?t=41720.

I think that you want --> 'The other alternative is to copy/read the daily log files occasionally. Determine failed attempts and add to a Windows Firewall Blocking Rule or intermediate proxy. 'http://www.mailenable.com/forum/viewtopic.php?f=4&t=27469. This way your logs wont grow.

If you do implement this, please share what you are happy to.

ladyinmt
Posts: 6
Joined: Thu Sep 25, 2014 7:20 pm
Location: Missoula, MT

Re: Thousands of AUTH LOGIN Attempts

Post by ladyinmt » Wed Jan 27, 2021 6:11 pm

We only have one mailbox configured on the server -- it's primarily used to trigger emails from various webapps hosted on the same box. I would have thought (and was hoping) that Mail Enable support would have chimed in here, since I'm considering upgrading if the Professional version does what I need!

At any rate, I really appreciate the suggestions @adz - at least now I have something to explore. I'll let you know what I end up doing!

Best,

~Heather

Admin
Site Admin
Posts: 842
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Re: Thousands of AUTH LOGIN Attempts

Post by Admin » Thu Jan 28, 2021 4:12 am

Currently (and going back a couple of months) there is an IP range doing a huge amount of brute force login attempts on mail servers. For example https://www.abuseipdb.com/check/45.142.120.90. The abuse detection in the Pro and Enterprise versions will block the IPs, though you will still see the connections littering your log files. If you have a complex password and non-standard username you should be ok with the Standard version, although you will just see lots of attempts. It might be easier just to block the IPs at the firewall.

Philb
Posts: 39
Joined: Fri Jul 25, 2003 11:02 pm
Location: Sydney, NSW, Australia

Re: Thousands of AUTH LOGIN Attempts

Post by Philb » Thu Jan 28, 2021 10:40 pm

You said, ". . . it's primarily used to trigger emails from various webapps hosted on the same box."

If that's the case, does MailEnable really need to accept SMTP connections from the Internet or could you limit it to listening only on a private IP address/subnet?

Philb
Posts: 39
Joined: Fri Jul 25, 2003 11:02 pm
Location: Sydney, NSW, Australia

Re: Thousands of AUTH LOGIN Attempts

Post by Philb » Thu Jan 28, 2021 11:17 pm

If ME must listen on a public IP, try enabling DNS Blacklisting under Servers > Services and Connectors > SMTP > Properties.
I would suggest just selecting SpamhausZEN to start.

That may help but it largely depends on where (in the SMTP client/server dialog) ME does the DNSBL check.

Edit: This link should help https://www.mailenable.com/kb/content/article.asp?ID=ME020084

adz
Posts: 18
Joined: Wed Jul 16, 2014 5:20 am

Re: Thousands of AUTH LOGIN Attempts

Post by adz » Thu Mar 04, 2021 3:41 am

Another option that might be worth investigating - https://itefix.net/win2ban or https://github.com/DigitalRuby/IPBan .

I am yet to use/trial this and would appreciate any comments from those who dive in. IPBan seems OK.


Update: IPBan is already configured for Mailenable SMTP logging - see ipban.config. Sorry about duplicate

Philb
Posts: 39
Joined: Fri Jul 25, 2003 11:02 pm
Location: Sydney, NSW, Australia

Re: Thousands of AUTH LOGIN Attempts

Post by Philb » Thu Mar 04, 2021 5:00 am

Interesting option.

One thing I had wondered about was the ban time that Mailenable's built-in RDNS implements.

I assume it's not "forever" but I couldn't find any information on that.

Post Reply