Only allow authenticated SMTP through MSA. Block AuthSMTP on port 25.
Only allow authenticated SMTP through MSA. Block all SMTP Authentication Attempts on port 25.
To prevent a lot of spoofed botnet authenticated SMTP hammering I would like an user option in MDaemon to completely disallow Authenticated SMTP sesssions through port 25 and only allow it through the MSA port. (admin configured on/off)
Normal incoming (mailserver->mailserver) traffic is allowed as normal through port 25 but none that includes an attempt to authenticate.
As an addition, an option in Dynamic Screening could be added to blacklist any attempts to send authenticated traffic through port 25.
This could avoid further hammering from botnet highjacked PCs trying a few times.
Problem today is that botnet PCs tries 2-4 times / IP but they use a lot of IPs. Doing so, they are avoiding blacklisting from failed AuthSMTPfromSameIP. Even if MDaemon has other measures they could still hammer a lot and could potentially find any weak password. If I could block it already on the first try and also dynamic blacklist IP directly that would minimize the impact of such hammering dramatically.
Best regards
Dan Lundqvist
MRZAZ.COM
Hello,
MDaemon 20.0.0 has been updated to allow you to block all authentication on port 25.
Thanks,
Arron
-
MIS IT Dept commented
Hello Arron,
May I know how can I do that in MDaemon 20.0.0 in order for me to block all authentication on port 25 ? Kindly provide the steps. Thanks
-
Dan Lundqvist commented
Hi Arron,
I could not stress this enough that this is REALLY NEEDED.
I got hammering botnets trying to guess passwords freezing accounts on a daily basis.I have already moved the MSA port off to separate port to minimize the attack-vector but as authenticated session is also allowed on 25 and 465 (which I can't change to non-default) there is no way to shield it.
If I could configure to only allow authenticated SMTP on MSA, then the server could just send the offending botnet trying auth SMTP on 25/465 to "Dynamic screening".
Dan Lundqvist
MRZAZ.COM
Stockholm, Sweden -
Dan Lundqvist commented
The problem with hammering botnets is a constant pain every day and really
would like you to reconsider to implement this as soon as possible.You will not be able to block the initial AUTH from each uniqe Botnet-IP
but you could stop session as soon as a AUTH request is detected on port 25
and then directly add it to DynamicScreening which will prevent it from
connecting again. Usually each botnet-ip connects 3-5 times from each IP
and it tries to authenticate bruteforce.With the above, you will prevent it from even testing the first user/psw
(not allowing it to find any valid user/psw through bruteforce) and block
subsequent connections lowering the hammering from 3-5 to 1 connection.
This will lower the burden on the mailserver.Your idea of removing AUTH, is as you said not good because then you
will never detect the AUTH-request on wrong port and it will just try
again and again.Your second example is more what I am after. Of course, a warning could
be added when sysadmin enables this so they are aware of the implications.Example:
Authentication Failures
danne@xxxxxx.com - Dan Lundqvist
IP Date Protocol
89.248.172.199 2015-10-26 00:16:49 SMTP
94.102.51.96 2015-10-26 00:52:11 SMTP
89.248.172.199 2015-10-26 03:25:20 SMTP
89.248.172.199 2015-10-26 05:00:21 SMTP
89.248.172.199 2015-10-26 06:34:51 SMTP
94.102.51.96 2015-10-26 06:40:37 SMTP
89.248.172.199 2015-10-26 09:45:27 SMTP
89.248.172.199 2015-10-26 11:20:20 SMTP
94.102.51.96 2015-10-26 12:30:32 SMTP
171.96.172.108 2015-10-26 13:37:57 SMTPIn this example, it would had blocked 89.248.172.199 for 5 additional attemps and 94.102.51.96 for 3.
But I have seen even more hammering as well. They try to stay under radar
by limit the amount per IP and spread out re-attempt from same IP over
time.Best regards
Dan Lundqvist