Hacking Attempt - SMTP Server: Authentication failed

hcl-bot · October 9, 2009, 12:18pm

Is there a way to block attempts after x number of failures?

I have pages and pages of this on what seems like a weekly basis:

10/09/2009 01:36:07 AM SMTP Server: Authentication failed for user xinjiang ; connecting host 58.63.148.42

10/09/2009 01:36:08 AM SMTP Server: Authentication failed for user xinjiang ; connecting host 58.63.148.42

10/09/2009 01:36:09 AM SMTP Server: Authentication failed for user xinjiang ; connecting host 58.63.148.42

10/09/2009 01:36:10 AM SMTP Server: Authentication failed for user xinjiang ; connecting host 58.63.148.42

10/09/2009 01:36:11 AM SMTP Server: Authentication failed for user xinjiang ; connecting host 58.63.148.42

As you can imagine, the ip address changes with each batch so I can’t issolate the attacks by ip.

Thanks in advance for the help,

Scott.

hcl-bot · January 5, 2012, 11:13am

Subject: SMTP Hacking

I also just went through this same thing. Anyway to prevent this type of attack or limit the number of tries based on IP?

hcl-bot · January 5, 2012, 12:11pm

Subject: Re: SMTP Hacking

You might consider having some sort of gateway device connected to the internet…with it forwarding email to your Notes environment.

There are special purpose gateway appliances that filter all kinds of nasty stuff before it has a chance to get into your network.

At the very least, you could consider creating your own gateway email server using a cheap Linux box and something like Exim (or Sendmail). They give you the opportunity to have rather fine-grained control over SMTP email.

I’ve never been fond of having a full-function email environment tied directly to the internet.

hcl-bot · January 5, 2012, 12:55pm

Subject: SMTP Hacking

I have a gateway device connected which controls Virus and Spam. I don’t think there’s much more we can do other than restricting the abusing IP address.

I guess if it were possible to create a rule that blocks incoming SMTP connections for 30 minutes if:

More than 50 connections from the same IP are attempted within 10 minutes.

hcl-bot · January 5, 2012, 4:58pm

Subject: Re: SMTP Hacking

Here’s an article I found on how you can do exactly what you’re talking about (I think!) with an Exim-based email gateway:

Snippet:

smtp_accept_max = xx

smtp_accept_max_per_connection = xx

smtp_accept_max_per_host = xx