SMTP security - Multiple RCPT not being blocked

Raise/discuss any potential issues with MailEnable for consideration in project issue register.
Post Reply
Simonjshaw
Posts: 8
Joined: Fri Mar 18, 2022 9:48 am

SMTP security - Multiple RCPT not being blocked

Post by Simonjshaw »

I have Security settings for SMTP service set so that just 5 bad commands should drop the connection.
But my server is being attached by a dictionary attack to discover valid addresses, with multiple RCPT TO commands being tried until one works.
And the connection is not being dropped as it ought to be.

See these attachments for illustration...
SMTPsecurity.png
SMTPsecurity.png (3.17 KiB) Viewed 24760 times
SMTPlog.png
SMTPlog.png (15.48 KiB) Viewed 24760 times
- Is this a problem with ME Professional generally or 10.47 in particular or just my installation?
- Am I missing something from my configuration? I have abuse detection enabled on localhost - not sure what else I should be doing.

Any recommended action? I could send debug log if that helps.

Admin
Site Admin
Posts: 1122
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Re: SMTP security - Multiple RCPT not being blocked

Post by Admin »

What is the error being returned from the server for the RCPT commands? Not all failures will register as a failed recipient for dropping the connection, such as if they are trying to relay without authentication.

Simonjshaw
Posts: 8
Joined: Fri Mar 18, 2022 9:48 am

Re: SMTP security - Multiple RCPT not being blocked

Post by Simonjshaw »

The server is returning a 550 which should count...

Simonjshaw
Posts: 8
Joined: Fri Mar 18, 2022 9:48 am

Re: SMTP security - Multiple RCPT not being blocked

Post by Simonjshaw »

...and they are trying a dictionary attack on the mailbox name for valid domains hosted on the server. So not relaying - the error is "mailbox unavailable or not local".

Here's a complete log line with the valid domain changed to foo.com:
--
08/29/23 00:44:48 SMTP-IN E33A6E7BFAE044CFBA493E92EDEBB8E0.MAI 1684 218.94.41.218 RCPT RCPT TO:<6ban51x4ob563o@foo.com> 550 Requested action not taken: mailbox unavailable or not local. 67 4140
--
After MAIL FROM each connection keeps trying these until it finds a valid mailbox name, and then disconnects. So it is gathering valid email addresses one by one.

Simonjshaw
Posts: 8
Joined: Fri Mar 18, 2022 9:48 am

Re: SMTP security - Multiple RCPT not being blocked

Post by Simonjshaw »

...sorry for repeat comments - more info...
I notice that the bot is also attempting domains which are not hosted on the server and these attract a 503 no relay without authentication allowed error. Any type of invalid RCPT tried repeatedly during the same conversation really should trigger abuse detection IMHO.

Simonjshaw
Posts: 8
Joined: Fri Mar 18, 2022 9:48 am

Re: SMTP security - Multiple RCPT not being blocked

Post by Simonjshaw »

This has gone very quiet after I answered the initial query.
Meanwhile my server is still being interrogated for valid mailbox addresses using multiple repeated RCPT commands.
Those addresses are then being dictionary-attacked for authentication, and the real user getting locked out (I've had to turn that off).

Please tell me how I can stop this RCPT attack happening?
They should be blocked after five failed commands.

Post Reply