Idea ID: 2854405

SMTP AUTH Failure detection and blocking

Status : New Idea

A long time ago I wrote several scripts to watch the GWAVA SMTP logs and detect SMTP AUTH failures.  It was a bit of a task as the logging for multiple threads are all interlaced.  Specifically, I wanted to know when an SMTP AUTH failure occurs and what the IP of the offending host is.

If you haven't looked through your log files to see how many attempts you have every day in trying to log into your SMTP server, I think you are in for a big surprise.  There can be thousands of these every day.  Basically, hackers get a list of email addresses off the web and then try over-and-over to log in to a known account using a long list of popular passwords.  I have also seen them try a long list of popular first names multiplied by the same long list of popular passwords.  This happens all the time and is very frequent.  The problem is, pretty much no email gateway or firewall does anything about it.  Its not uncommon to experience very large botnets trying to do this against a single domain.  They can bang on your door all day long and nothing is stopping them...  How many of your users use the same pwd on their mail account as they do on their server logins?

Anyway, my GWVA script has been running for years quite successfully.  If we see an AUTH FAIL, then the offending IP is pushed up to a black list on our router/firewall and any/all subsequent traffic from that host is barred from entering our network.  If the host has been compromised, then I don't want ANY of its traffic entering my network!  (My users know that if they fat finger an email login they will need to contact me.  However, most email clients store the SMTP credentials internally so this is never really an issue).

I've set up scripts for both GWAVA and POSTFIX and ive used it to push IP's up to a Watchguard firewall as well as locally to an iptables firewall on the host itself.

There is another thread here which states SMG doesn't even support remote AUTH LOGIN for clients in the field.  This is so thoughtless!  (I'm going to get murdered by my users.)  However, we also need a way to trap and reject communications from hosts trying to brute force their way into our SMTP servers.  Shouldn't this be a function performed by a "SECURE Messaging Gateway"?

Labels:

Other
  • OK, so now it appears we have SMTP AUTH support (sort of)...

    Why not track SMTP Auth Failures and block traffic from the originating IP?  Let us specify how many failures before an IP address is "blocked" (1), let us specify how long it should be blocked for (2 weeks), and give us the ability to delete IP's off the "Block List".

    How hard could this be to implement?  We already have an IP BlackList we could use...