"Dictionary" attack on SMTP

Discussions on webmail and the Professional version.
Post Reply
Simonjshaw
Posts: 16
Joined: Fri Mar 18, 2022 9:48 am
Location: UK

"Dictionary" attack on SMTP

Post by Simonjshaw »

The MailEnable SMTP service is being attacked by a network of compromised hosts whose IPs are listed on public blocklists including Spamhaus etc.
They are connecting to SMTP and trying to authenticate (as a variety of users, some valid, some not).
Each inbound IP connection only attempts one login, which fails (so far!) then a different IP has a go. This does not trigger any IP access denial.
A blocklisted IP should not get a chance to guess a pw.
Can the configured blocklists be consulted as soon as EHLO is received, so that the servers with listed IPs are prevented from even trying to authenticate?
This would seem like a sensible security enhancement - to prevent listed IPs from trying to authenticate.

SmiLie
Posts: 11
Joined: Fri Oct 24, 2008 4:16 pm

Re: "Dictionary" attack on SMTP

Post by SmiLie »

Hello,
I am going to second this post. Mailenable Pro SMTP service attack.

Exactly the same issue , Dictionary brute force attack from hundreds of hacked IP addresses.
Someone likely runs a database of domains and tries to login using standard users - admin, info etc.

Basically an attempt to login from admin@somedomain.com with a password, it fails, next password etc.
Since each attack comes from a different IP and attacker seems to have a database of hundreds, if not thousands of IPs , standard server software doesn't do anything .
Nor any IPs are getting banned.

I am losing half of my emails in the last several weeks as emails aren't being delivered. I try to send test emails to myself and basically 10 or so of them are completely lost.

Ideally I'd like to have a script that would have a list of Ham / trap email addresses that don't really exist that MailEnable server will auto ban any attempts to login into these. For instance:
If you try to login into: admin@trapdomain.com, info@trapdomain.com, webmaster@trapdomain.com, admin@trapdomain2.com, etc.
Any attempt to login into those trap domains triggers immediate IP ban.

Appreciate the software , thank you for your help here.

Post Reply