I'm running Exchange 2003 SP2. Every so often, I see long strings of illegal login attempts over the SMTP virtual server. The attacker uses random user names for the login attempts, and an attempt is made every 2 to 3 seconds over a period of an hour or more. I have confirmed that the attacker is targeting the SMTP virtual server; when I stopped the SMTP service on Exchange, the attacks stopped.
I have enabled extended logging for the SMTP Virtual Server, but the logs do NOT show any of the illegal login attempts. Hence, I can't even identify the attacker's IP address so I can block it.
I'd love to sign up for an outsourced mail security service which would filter out viruses, spam and attackers. However, we don't have the money in our budget to do it this year.
What other remedies do I have? Is there a way to configure the SMTP server to temporarily stop accepting login attempts from an external source after, say, 5 failed login attempts? Is there a good SMTP proxy device or software which can do this? I do have a Sonicwall 2040 Pro, but I don't believe it has these capabilities.
Any suggestions will be appreciated!