SMTP Failures (smtpauth) -dovecot_plain authenticator failed

[HappymanUK]

Recently I have been receiving hundreds of e-mails per day for failed SMTP authentications.

These are from many countries including Serbia, Russia, Taiwan, Vietnam, Libya and many more.

The site is running cPanel and the sites on the server send out e-mail, but any mail clients are set to send out e-mails via our own ISP (rather than via the server).

Is there a way to block access to any remote connections trying to send e-mail out using the server this way ?

I'm concerned about the number of attempts being received.

Any comments/advise appreciated.

Thanks
Daniel

 

[cPanelPeter]

Hello,

Have you followed the steps outlined in How to Prevent Email Abuse yet?

 

[HappymanUK]

Hello,

Have you followed the steps outlined in How to Prevent Email Abuse yet?

Thanks - I've had a look at the link but cannot see anything with regards to this (unless I've missed something).

Thanks again,

Daniel

 

[cPanelMichael]

Recently I have been receiving hundreds of e-mails per day for failed SMTP authentications.

Could you clarify what specific emails you are receiving? For instance, are they notifications from a third-party application, or are these failed delivery bounces?

Thank you.

 

[HappymanUK]

Sorry,

I have re-read my posted message and agree it doesn't make sense.

These are the e-mails from my firewall (Configserver Firewall) to confirm that an attempt to login via smtpauth has failed - brute force attacks.

It isn't the e-mails themselves to me I want to block, but hoping there is a way to stop SMTP going through the server unless it is from within the server itself (if that makes sense).

For info - Here is an example of the firewall blocked e-mails (All from different countries and IP addresses):

Time: Wed May 21 13:34:40 2014 +0100
IP: 116.73.48.72 (IN/India/-)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked: Permanent Block

Log entries:

2014-05-21 12:50:28 dovecot_plain authenticator failed for (DELL-PC) [116.73.48.72]:57941: 535 Incorrect authentication data (set_id=support)
2014-05-21 12:50:34 dovecot_login authenticator failed for (DELL-PC) [116.73.48.72]:57941: 535 Incorrect authentication data (set_id=support)
2014-05-21 12:50:41 dovecot_plain authenticator failed for (DELL-PC) [116.73.48.72]:57976: 535 Incorrect authentication data ([email protected])
2014-05-21 12:50:52 dovecot_login authenticator failed for (DELL-PC) [116.73.48.72]:57976: 535 Incorrect authentication data ([email protected])
2014-05-21 13:34:38 dovecot_plain authenticator failed for (DELL-PC) [116.73.48.72]:51028: 535 Incorrect authentication data (set_id=support)

Thanks
Daniel

 

[cPanelMichael]

I suggest blocking the IP addresses in your firewall, and using a brute force detection application such as cPHulk:

"WHM Home » Security Center » cPHulk Brute Force Protection"

Thank you.

 

[HappymanUK]

Thanks for your fast reply.

I'm already doing both of those, but I'm getting around 10-20 different IP addresses every couple of minutes.

As mail clients shouldn't be sending out e-mails via SMTP through the server (only the server itself should be able to e-mail out), is there a way to block access to any remote connections trying to send e-mail out using the server this way ?

Thanks again,

Daniel

 

[cPanelMichael]

There are no native features in WHM that will reject SMTP authentication attempts from all external IP addresses. You would have to configure a custom Exim ACL to implement this type of rule. Or, you could block an entire country (If all IPs originate from it) using CSF as this might be easier than attempting to block the individual IP addresses.

Thank you.

 

[HappymanUK]

Thanks for your reply - It is appreciated.

Can SMTP just be disabled (or disabled on port 25) ? - Or would that cause complications ?

Unfortunately the IP addresses are rarely from the same country - I've had them from almost every country I can think of.

Thanks
Daniel

 

[cPanelMichael]

You may find this thread helpful:

Disable SMTP Authentication

There is discussion of disabling SMTP, and links to another thread with manual workarounds suggested.

Thank you.