The scenario I am seeing is SMTP brute force attempts against a username, but each time the source IP address is different, I guess they are using a botnet. Exchange will tarpit the IP for 30 seconds for the failed authentication, but it doesn't matter as the next attempt comes from a different IP address.
Can someone suggest a custom signature, or modification to the existing smtp signature to stop these types of attempts (blacklist the IP). The accounts eventually lock out as a result.
Second scenario is login attempts against usernames that no longer exist... I'd love to maintain a list of ex-employees and then blacklist any IP which tries to authenticate against one of them.
I have not done this for SMTP just for HTTP with web form authentication where I matched based on parameter name and the server login page response content (Successful or Failed) but maybe with the context "smtp-req-protocol-payload" you can match the "
AUTH LOGIN" command and after that you will need to check the SMTP response that if it has message like "auth failed" or "user does not exist".
For more about SMTP auth maybe see:
Also after you have matched the correct smtp reqest body with the auth command and the smtp response you will need to make combination signature to block the ip address if it gets the SMTP response for failed auth after maybe 5 attempts in 30 minutes:
Also better the signature be with scope session as we want to match smtp request command and smtp response payload. Maybe see the link below to get the idea:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!