Dan Lundqvist

My feedback

  1. 3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    Hello,

    Thanks for sharing your idea with us to disable authentication on port 25. I’m concerned that administrators may not fully understand the consequences of enabling such an option, such as preventing users from being able to send email on port 25. The easiest way to prevent authentication attempts would be to remove AUTH from the list of valid commands, but this would not stop botnets from hammering your server. If you left AUTH in the list of commands then you could block IPs that attempt to authenticate but valid clients would expect to be able to authenticate but instead would get their IP blocked. There are a lot of potential problems with this, however, it will be considered for future versions.

    Thanks,
    Arron

    Dan Lundqvist commented  · 

    Hi Arron,

    I could not stress this enough that this is REALLY NEEDED.
    I got hammering botnets trying to guess passwords freezing accounts on a daily basis.

    I have already moved the MSA port off to separate port to minimize the attack-vector but as authenticated session is also allowed on 25 and 465 (which I can't change to non-default) there is no way to shield it.

    If I could configure to only allow authenticated SMTP on MSA, then the server could just send the offending botnet trying auth SMTP on 25/465 to "Dynamic screening".

    Dan Lundqvist
    MRZAZ.COM
    Stockholm, Sweden

    Dan Lundqvist supported this idea  · 
    Dan Lundqvist commented  · 

    The problem with hammering botnets is a constant pain every day and really
    would like you to reconsider to implement this as soon as possible.

    You will not be able to block the initial AUTH from each uniqe Botnet-IP
    but you could stop session as soon as a AUTH request is detected on port 25
    and then directly add it to DynamicScreening which will prevent it from
    connecting again. Usually each botnet-ip connects 3-5 times from each IP
    and it tries to authenticate bruteforce.

    With the above, you will prevent it from even testing the first user/psw
    (not allowing it to find any valid user/psw through bruteforce) and block
    subsequent connections lowering the hammering from 3-5 to 1 connection.
    This will lower the burden on the mailserver.

    Your idea of removing AUTH, is as you said not good because then you
    will never detect the AUTH-request on wrong port and it will just try
    again and again.

    Your second example is more what I am after. Of course, a warning could
    be added when sysadmin enables this so they are aware of the implications.

    Example:
    Authentication Failures
    danne@xxxxxx.com - Dan Lundqvist
    IP Date Protocol
    89.248.172.199 2015-10-26 00:16:49 SMTP
    94.102.51.96 2015-10-26 00:52:11 SMTP
    89.248.172.199 2015-10-26 03:25:20 SMTP
    89.248.172.199 2015-10-26 05:00:21 SMTP
    89.248.172.199 2015-10-26 06:34:51 SMTP
    94.102.51.96 2015-10-26 06:40:37 SMTP
    89.248.172.199 2015-10-26 09:45:27 SMTP
    89.248.172.199 2015-10-26 11:20:20 SMTP
    94.102.51.96 2015-10-26 12:30:32 SMTP
    171.96.172.108 2015-10-26 13:37:57 SMTP

    In this example, it would had blocked 89.248.172.199 for 5 additional attemps and 94.102.51.96 for 3.
    But I have seen even more hammering as well. They try to stay under radar
    by limit the amount per IP and spread out re-attempt from same IP over
    time.

    Best regards
    Dan Lundqvist

    Dan Lundqvist shared this idea  · 
  2. 2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Dan Lundqvist supported this idea  · 
    Dan Lundqvist shared this idea  · 
  3. 2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Dan Lundqvist shared this idea  · 
  4. 172 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Dan Lundqvist commented  · 

    The big advantage with MD IS the easy handling of mails (including backup)
    as all are store as files. PLEASE DO NOT REMOVE THIS!!!
    Or at lease have 2 options. Either DB OR Flat files.

    Best regards
    Dan Lundqvist
    Stockholm, Sweden
    MRZAZ.COM

  5. 1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Dan Lundqvist shared this idea  · 

Feedback and Knowledge Base