- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-10-2022 06:56 AM
The scenario I am seeing is SMTP brute force attempts against a username, but each time the source IP address is different, I guess they are using a botnet. Exchange will tarpit the IP for 30 seconds for the failed authentication, but it doesn't matter as the next attempt comes from a different IP address.
Can someone suggest a custom signature, or modification to the existing smtp signature to stop these types of attempts (blacklist the IP). The accounts eventually lock out as a result.
Second scenario is login attempts against usernames that no longer exist... I'd love to maintain a list of ex-employees and then blacklist any IP which tries to authenticate against one of them.
08-24-2022 04:59 AM - edited 08-24-2022 05:28 AM
I have not done this for SMTP just for HTTP with web form authentication where I matched based on parameter name and the server login page response content (Successful or Failed) but maybe with the context "smtp-req-protocol-payload" you can match the "AUTH LOGIN" command and after that you will need to check the SMTP response that if it has message like "auth failed" or "user does not exist".
For more about SMTP auth maybe see:
https://mailtrap.io/blog/smtp-auth/
Also after you have matched the correct smtp reqest body with the auth command and the smtp response you will need to make combination signature to block the ip address if it gets the SMTP response for failed auth after maybe 5 attempts in 30 minutes:
--------
Also better the signature be with scope session as we want to match smtp request command and smtp response payload. Maybe see the link below to get the idea:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSOCA0
10-13-2022 02:19 PM
If you managed to get the needed answers, please flag the question as answered.
10-13-2022 03:47 PM
Sorry, I'm slow... I haven't had time to investigate your proposed solution.
11-02-2022 11:36 AM
I may soon create a POST with an example for Brute Force match on HTTP web page web form that can help you out with the SMTP stuff as I also became interested in the results 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!