The MailEnable SMTP service is being attacked by a network of compromised hosts whose IPs are listed on public blocklists including Spamhaus etc.
They are connecting to SMTP and trying to authenticate (as a variety of users, some valid, some not).
Each inbound IP connection only attempts one login, which fails (so far!) then a different IP has a go. This does not trigger any IP access denial.
A blocklisted IP should not get a chance to guess a pw.
Can the configured blocklists be consulted as soon as EHLO is received, so that the servers with listed IPs are prevented from even trying to authenticate?
This would seem like a sensible security enhancement - to prevent listed IPs from trying to authenticate.
"Dictionary" attack on SMTP
Re: "Dictionary" attack on SMTP
Hello,
I am going to second this post. Mailenable Pro SMTP service attack.
Exactly the same issue , Dictionary brute force attack from hundreds of hacked IP addresses.
Someone likely runs a database of domains and tries to login using standard users - admin, info etc.
Basically an attempt to login from admin@somedomain.com with a password, it fails, next password etc.
Since each attack comes from a different IP and attacker seems to have a database of hundreds, if not thousands of IPs , standard server software doesn't do anything .
Nor any IPs are getting banned.
I am losing half of my emails in the last several weeks as emails aren't being delivered. I try to send test emails to myself and basically 10 or so of them are completely lost.
Ideally I'd like to have a script that would have a list of Ham / trap email addresses that don't really exist that MailEnable server will auto ban any attempts to login into these. For instance:
If you try to login into: admin@trapdomain.com, info@trapdomain.com, webmaster@trapdomain.com, admin@trapdomain2.com, etc.
Any attempt to login into those trap domains triggers immediate IP ban.
Appreciate the software , thank you for your help here.
I am going to second this post. Mailenable Pro SMTP service attack.
Exactly the same issue , Dictionary brute force attack from hundreds of hacked IP addresses.
Someone likely runs a database of domains and tries to login using standard users - admin, info etc.
Basically an attempt to login from admin@somedomain.com with a password, it fails, next password etc.
Since each attack comes from a different IP and attacker seems to have a database of hundreds, if not thousands of IPs , standard server software doesn't do anything .
Nor any IPs are getting banned.
I am losing half of my emails in the last several weeks as emails aren't being delivered. I try to send test emails to myself and basically 10 or so of them are completely lost.
Ideally I'd like to have a script that would have a list of Ham / trap email addresses that don't really exist that MailEnable server will auto ban any attempts to login into these. For instance:
If you try to login into: admin@trapdomain.com, info@trapdomain.com, webmaster@trapdomain.com, admin@trapdomain2.com, etc.
Any attempt to login into those trap domains triggers immediate IP ban.
Appreciate the software , thank you for your help here.