Tracking Probe Attacks with separate log files
-
It would be great if Mdaemon would create separate log files of probing attacks
and failed login attempts and show the passwords used in used in failed login attempts.
(to get a better idea of other accounts that might have been compromised whose passwords where used)
It would make it much easier to create IP blacklists.
Also create a list of IP's that connect and immediately disconnect.
here is a example of a probing attack
Wed 2024-03-20 16:25:41.714: ----------
Wed 2024-03-20 16:43:56.990: Session 00001888; child 0002
Wed 2024-03-20 16:43:56.990: Accepting SMTP connection from 128.14.237.237:57112 to 192.168.1.72:465
Wed 2024-03-20 16:43:56.990: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:43:57.230: SSL negotiation successful (TLS 1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
Wed 2024-03-20 16:43:57.230: --> 220 www.domainunderprobingattack.com ESMTP Wed, 20 Mar 2024 16:43:57 -0400
Wed 2024-03-20 16:43:57.436: * Socket error 590615 - The sender has finished using the connection and has initiated a shutdown.
Wed 2024-03-20 16:43:57.437: SMTP session terminated (Bytes in/out: 419/5664)
Wed 2024-03-20 16:43:57.437: ----------
Wed 2024-03-20 16:43:57.640: Session 00001889; child 0002
Wed 2024-03-20 16:43:57.640: Accepting SMTP connection from 128.14.237.237:57124 to 192.168.1.72:465
Wed 2024-03-20 16:43:57.640: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:43:57.643: * SSL error 0x80090331 The client and server cannot communicate, because they do not possess a common algorithm.
Wed 2024-03-20 16:43:57.643: SMTP session terminated (Bytes in/out: 176/0)
Wed 2024-03-20 16:43:57.643: ----------
Wed 2024-03-20 16:43:56.569: Session 00001887; child 0001
Wed 2024-03-20 16:43:56.569: Accepting SMTP connection from 128.14.237.237:57096 to 192.168.1.72:465
Wed 2024-03-20 16:43:56.569: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:43:56.783: SSL negotiation successful (TLS 1.3, TLS_AES_256_GCM_SHA384)
Wed 2024-03-20 16:43:56.784: --> 220 www.domainunderprobingattack.com ESMTP Wed, 20 Mar 2024 16:43:56 -0400
Wed 2024-03-20 16:43:57.868: * Socket error 590615 - The sender has finished using the connection and has initiated a shutdown.
Wed 2024-03-20 16:43:57.868: SMTP session terminated (Bytes in/out: 388/5631)
Wed 2024-03-20 16:43:57.868: ----------
Wed 2024-03-20 16:43:58.071: Session 00001890; child 0001
Wed 2024-03-20 16:43:58.071: Accepting SMTP connection from 128.14.237.237:56876 to 192.168.1.72:465
Wed 2024-03-20 16:43:58.071: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:44:08.098: Connection closed
Wed 2024-03-20 16:44:08.098: SMTP session terminated (Bytes in/out: 0/0)
Wed 2024-03-20 16:44:08.098: ----------
Wed 2024-03-20 16:44:08.305: Session 00001891; child 0001
Wed 2024-03-20 16:44:08.305: Accepting SMTP connection from 128.14.237.237:58330 to 192.168.1.72:465
Wed 2024-03-20 16:44:08.305: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:44:08.524: SSL negotiation successful (TLS 1.3, TLS_AES_256_GCM_SHA384)
Wed 2024-03-20 16:44:08.524: --> 220 www.domainunderprobingattack.com ESMTP Wed, 20 Mar 2024 16:44:08 -0400
Wed 2024-03-20 16:44:08.525: <-- HELP
Wed 2024-03-20 16:44:08.525: --> 502 5.5.1 Command not implemented
Wed 2024-03-20 16:44:26.735: * Socket error 590615 - The sender has finished using the connection and has initiated a shutdown.
Wed 2024-03-20 16:44:26.736: SMTP session terminated (Bytes in/out: 379/5712)
Wed 2024-03-20 16:44:26.736: ----------
Wed 2024-03-20 16:44:26.951: Session 00001892; child 0001
Wed 2024-03-20 16:44:26.951: Accepting SMTP connection from 128.14.237.237:53186 to 192.168.1.72:465
Wed 2024-03-20 16:44:26.951: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:44:27.163: SSL negotiation successful (TLS 1.3, TLS_AES_256_GCM_SHA384)
Wed 2024-03-20 16:44:27.163: --> 220 www.domainunderprobingattack.com ESMTP Wed, 20 Mar 2024 16:44:27 -0400
Wed 2024-03-20 16:44:27.164: <-- EHLO
Wed 2024-03-20 16:44:27.164: --> 501 5.5.4 Invalid or missing command argument(s)
Wed 2024-03-20 16:44:45.373: * Socket error 590615 - The sender has finished using the connection and has initiated a shutdown.
Wed 2024-03-20 16:44:45.373: SMTP session terminated (Bytes in/out: 379/5727)
Wed 2024-03-20 16:44:45.374: ----------
Wed 2024-03-20 16:44:45.586: Session 00001893; child 0001
Wed 2024-03-20 16:44:45.586: Accepting SMTP connection from 128.14.237.237:35766 to 192.168.1.72:465
Wed 2024-03-20 16:44:45.586: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:44:45.799: SSL negotiation successful (TLS 1.3, TLS_AES_256_GCM_SHA384)
Wed 2024-03-20 16:44:45.800: --> 220 www.domainunderprobingattack.com ESMTP Wed, 20 Mar 2024 16:44:45 -0400
Wed 2024-03-20 16:44:45.800: <-- GET / HTTP/1.1
Wed 2024-03-20 16:44:45.800: --> 500 5.0.0 Unrecognized command
Wed 2024-03-20 16:44:45.800: <-- Host: 35.139.186.27:465
Wed 2024-03-20 16:44:45.800: --> 500 5.0.0 Unrecognized command
Wed 2024-03-20 16:44:45.800: <-- Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Wed 2024-03-20 16:44:45.800: --> 500 5.0.0 Unrecognized command
Wed 2024-03-20 16:44:45.800: <-- User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
Wed 2024-03-20 16:44:45.800: Too many errors encountered
Wed 2024-03-20 16:44:45.801: SMTP session terminated (Bytes in/out: 602/5817)
Wed 2024-03-20 16:44:45.801: ----------
Wed 2024-03-20 16:44:46.215: Session 00001894; child 0001
Wed 2024-03-20 16:44:46.215: Accepting SMTP connection from 128.14.237.237:35772 to 192.168.1.72:465
Wed 2024-03-20 16:44:46.215: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:44:46.425: SSL negotiation successful (TLS 1.3, TLS_AES_256_GCM_SHA384)
Wed 2024-03-20 16:44:46.425: --> 220 www.domainunderprobingattack.com ESMTP Wed, 20 Mar 2024 16:44:46 -0400
Wed 2024-03-20 16:44:46.426: <--
Wed 2024-03-20 16:44:46.426: --> 500 5.0.0 Unrecognized command
Wed 2024-03-20 16:44:46.426: <--
Wed 2024-03-20 16:44:46.426: --> 500 5.0.0 Unrecognized command
Wed 2024-03-20 16:45:04.646: * Socket error 590615 - The sender has finished using the connection and has initiated a shutdown.
Wed 2024-03-20 16:45:04.647: SMTP session terminated (Bytes in/out: 377/5763)
Wed 2024-03-20 16:45:04.647: ----------
Wed 2024-03-20 16:45:04.861: Session 00001895; child 0001
Wed 2024-03-20 16:45:04.861: Accepting SMTP connection from 128.14.237.237:53650 to 192.168.1.72:465
Wed 2024-03-20 16:45:04.861: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:45:04.873: * SSL error 0x80090331 The client and server cannot communicate, because they do not possess a common algorithm.
Wed 2024-03-20 16:45:04.873: SMTP session terminated (Bytes in/out: 203/0)
Wed 2024-03-20 16:45:04.873: ----------
Wed 2024-03-20 16:45:05.281: Session 00001896; child 0001
Wed 2024-03-20 16:45:05.281: Accepting SMTP connection from 128.14.237.237:53662 to 192.168.1.72:465
Wed 2024-03-20 16:45:05.281: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:45:05.491: SSL negotiation successful (TLS 1.3, TLS_AES_256_GCM_SHA384)
Wed 2024-03-20 16:45:05.492: --> 220 www.domainunderprobingattack.com ESMTP Wed, 20 Mar 2024 16:45:05 -0400
Wed 2024-03-20 16:45:05.492: <-- GET / HTTP/1.1
Wed 2024-03-20 16:45:05.492: --> 500 5.0.0 Unrecognized command
Wed 2024-03-20 16:45:05.492: <-- Host: 35.139.186.27:465
Wed 2024-03-20 16:45:05.492: --> 500 5.0.0 Unrecognized command
Wed 2024-03-20 16:45:05.492: <-- Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Wed 2024-03-20 16:45:05.492: --> 500 5.0.0 Unrecognized command
Wed 2024-03-20 16:45:05.492: <-- User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
Wed 2024-03-20 16:45:05.492: Too many errors encountered
Wed 2024-03-20 16:45:05.493: SMTP session terminated (Bytes in/out: 602/5817)
Wed 2024-03-20 16:45:05.493: ----------
Wed 2024-03-20 16:45:05.913: Session 00001897; child 0001
Wed 2024-03-20 16:45:05.913: Accepting SMTP connection from 128.14.237.237:53666 to 192.168.1.72:465
Wed 2024-03-20 16:45:05.913: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:45:06.122: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Wed 2024-03-20 16:45:06.123: SMTP session terminated (Bytes in/out: 442/5044)
Wed 2024-03-20 16:45:06.123: ----------
Wed 2024-03-20 16:45:06.328: Session 00001898; child 0001
Wed 2024-03-20 16:45:06.328: Accepting SMTP connection from 128.14.237.237:53668 to 192.168.1.72:465
Wed 2024-03-20 16:45:06.328: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:45:06.536: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Wed 2024-03-20 16:45:06.536: SMTP session terminated (Bytes in/out: 442/5044)
Wed 2024-03-20 16:45:06.536: ----------
Wed 2024-03-20 16:45:06.744: Session 00001899; child 0001
Wed 2024-03-20 16:45:06.744: Accepting SMTP connection from 128.14.237.237:53680 to 192.168.1.72:465
Wed 2024-03-20 16:45:06.744: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:45:06.747: * SSL error 0x80090331 The client and server cannot communicate, because they do not possess a common algorithm.
Wed 2024-03-20 16:45:06.747: SMTP session terminated (Bytes in/out: 363/0)
Wed 2024-03-20 16:45:06.747: ----------
Wed 2024-03-20 16:45:07.155: Session 00001900; child 0001
Wed 2024-03-20 16:45:07.155: Accepting SMTP connection from 128.14.237.237:53694 to 192.168.1.72:465
Wed 2024-03-20 16:45:07.155: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:45:07.364: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Wed 2024-03-20 16:45:07.364: SMTP session terminated (Bytes in/out: 349/5044)
Wed 2024-03-20 16:45:07.364: ----------
Wed 2024-03-20 16:45:07.569: Session 00001901; child 0001
Wed 2024-03-20 16:45:07.569: Accepting SMTP connection from 128.14.237.237:53702 to 192.168.1.72:465
Wed 2024-03-20 16:45:07.569: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:45:07.787: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Wed 2024-03-20 16:45:07.787: SMTP session terminated (Bytes in/out: 430/5044)
Wed 2024-03-20 16:45:07.787: ----------
Wed 2024-03-20 16:45:08.005: Session 00001902; child 0001
Wed 2024-03-20 16:45:08.005: Accepting SMTP connection from 128.14.237.237:47298 to 192.168.1.72:465
Wed 2024-03-20 16:45:08.005: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:45:08.008: * SSL error 0x80090331 The client and server cannot communicate, because they do not possess a common algorithm.
Wed 2024-03-20 16:45:08.008: SMTP session terminated (Bytes in/out: 431/0)
Wed 2024-03-20 16:45:08.009: ----------
Wed 2024-03-20 16:45:08.423: Session 00001903; child 0001
Wed 2024-03-20 16:45:08.423: Accepting SMTP connection from 128.14.237.237:47310 to 192.168.1.72:465
Wed 2024-03-20 16:45:08.423: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:45:08.643: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Wed 2024-03-20 16:45:08.643: SMTP session terminated (Bytes in/out: 444/5069)
Wed 2024-03-20 16:45:08.643: ----------
Wed 2024-03-20 16:45:08.851: Session 00001904; child 0001
Wed 2024-03-20 16:45:08.851: Accepting SMTP connection from 128.14.237.237:47318 to 192.168.1.72:465
Wed 2024-03-20 16:45:08.851: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:45:09.062: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Wed 2024-03-20 16:45:09.062: SMTP session terminated (Bytes in/out: 444/5069)
Wed 2024-03-20 16:45:09.062: ----------
Wed 2024-03-20 16:45:09.267: Session 00001905; child 0001
Wed 2024-03-20 16:45:09.267: Accepting SMTP connection from 128.14.237.237:47334 to 192.168.1.72:465
Wed 2024-03-20 16:45:09.267: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:45:09.270: * SSL error 0x80090331 The client and server cannot communicate, because they do not possess a common algorithm.
Wed 2024-03-20 16:45:09.270: SMTP session terminated (Bytes in/out: 434/0)
Wed 2024-03-20 16:45:09.270: ----------
Wed 2024-03-20 16:45:09.680: Session 00001906; child 0001
Wed 2024-03-20 16:45:09.680: Accepting SMTP connection from 128.14.237.237:47346 to 192.168.1.72:465
Wed 2024-03-20 16:45:09.680: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:45:09.893: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Wed 2024-03-20 16:45:09.893: SMTP session terminated (Bytes in/out: 457/5069)
Wed 2024-03-20 16:45:09.894: ----------
Wed 2024-03-20 16:45:10.103: Session 00001907; child 0001
Wed 2024-03-20 16:45:10.103: Accepting SMTP connection from 128.14.237.237:47356 to 192.168.1.72:465
Wed 2024-03-20 16:45:10.103: Location Screen says connection is from United States, North America
Wed 2024-03-20 16:45:28.110: Connection closed
Wed 2024-03-20 16:45:28.110: SMTP session terminated (Bytes in/out: 0/0)
Wed 2024-03-20 16:45:28.111: ----------
-
Arron Staff
Hello,
The current version of MDaemon should already be creating a failed authentication log. If you don't have a failed authentication log, what version of MDaemonn are you using?
We are not logging the password that was used in the failed authentication and we do not intend to add this functionality.
While we do not currently have the ability to detect "probing" attacks, there are a number of features that may be able to help you block the connections.
In the example provided there were 21 connections in about 92 seconds. Depending on your environment, you may be able to use the option for Block IPs that connect more than X times in Y minutes. Security / Screening / SMTP Screening.
On the same page you can also configure the options to block IPs that send X RSETs and Block IPs that cause this many failed RCPTs. None of the sessions in the log show any failed RCPTs or RSET commands, but its not a stretch to think that a probing connection may do these things.
The connecting IP address doesn't have a valid PTR record, you could enabled the options for Perform PTR lookup on inbound SMTP connections and Send 501 and close connection if no PTR record exists. This would have blocked all of the connections in the example. You should not check the box to example authenticated connections as this delays the action until after the connection has had the opportunity to authenticate.
We'll look into additional features that may help to detect and block these probing connections.