[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 768
  • Last Modified:

Preventing illegal login attempts over Exchange 2003 SMTP virtual server

I'm running Exchange 2003 SP2.  Every so often, I see long strings of illegal login attempts over the SMTP virtual server.  The attacker uses random user names for the login attempts, and an attempt is made every 2 to 3 seconds over a period of an hour or more.  I have confirmed that the attacker is targeting the SMTP virtual server; when I stopped the SMTP service on Exchange, the attacks stopped.

I have enabled extended logging for the SMTP Virtual Server, but the logs do NOT show any of the illegal login attempts.  Hence, I can't even identify the attacker's IP address so I can block it.

I'd love to sign up for an outsourced mail security service which would filter out viruses, spam and attackers.  However, we don't have the money in our budget to do it this year.

What other remedies do I have?  Is there a way to configure the SMTP server to temporarily stop accepting login attempts from an external source after, say, 5 failed login attempts?  Is there a good SMTP proxy device or software which can do this?  I do have a Sonicwall 2040 Pro, but I don't believe it has these capabilities.

Any suggestions will be appreciated!
2 Solutions
i am using a Watchguard XTM21 which does "intrusion detection". I have noticed that my ftp attacks have stopped, and would think that it would handle the SMTP attack in the same manner.
Paul SolovyovskyCommented:
The Watchguard will do a good job but you may also make sure that all your accounts have strong password and if your users don't authenticate (owa, rpc/http,activesync, imap, pop) you can turn these services off and it can try to authenticate all it wants but it will not be able to get access
The OP never said they got in - its the attempt that would actually act like a denial of service since the server is so busy checking validation. That's why a perimeter firewall/intrusion protection was recommended.
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Paul SolovyovskyCommented:
missed that.  This is why strong passwords are critical, most of the time they get in on a service account like temp/temp..seen it too often.

guardian8xxxAuthor Commented:
Thanks for the responses so far.  We do have a policy that requires strong passwords, and users must change passwords frequently.  I've also renamed our admin account.

Spoke to Sonicwall tech support (after waiting on hold for 30 minutes listening to freaking Enya) and they said that my Pro 2040's Intrusion Prevention Service will not recognize these attempted break-ins as an attack.  Rather, their advice was to identify the attacker's IP address via the firewall logs and then block the IP address.

In other words, they have no solution.  Even if I blocked the IP address, the attacker is most likely a home user who gets a new IP address every few days.

What I really want to know is what the attacker is doing specifically.  What SMTP commands is he executing against the SMTP server?  Is there a special subset of commands for authenticating to a Windows system?

The SMTP conversation is very succinct and to the point.

"HELO <domain>"
"Mail From: <user in the domai>"
"Rcpt to: <end user>"
"subject:<subject line>"
"<email body........>"

Thats the extent of the conversation (without authentication). With authentication there are extra messages.

The bottom line is that you cannot possibly distinguish between a "good" conversation and a "bad" conversation.

Without Intrusion protection there is absolutely no way to prevent this from occurring.
Paul SolovyovskyCommented:
Are they going into a single account or the random?  If random I doubt they'be broke in because they would have exploited the account and sent out 100Ks worth of emails.

Your options are

1.  Intrustion Detection
2.  Intrusion Avoidance (postini, etc..)
3.  VPN for Email..no authentication for external users, users would need to vpn in before accessing email
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now