Preventing illegal login attempts over Exchange 2003 SMTP virtual server

Posted on 2011-04-20
Last Modified: 2012-05-11
I'm running Exchange 2003 SP2.  Every so often, I see long strings of illegal login attempts over the SMTP virtual server.  The attacker uses random user names for the login attempts, and an attempt is made every 2 to 3 seconds over a period of an hour or more.  I have confirmed that the attacker is targeting the SMTP virtual server; when I stopped the SMTP service on Exchange, the attacks stopped.

I have enabled extended logging for the SMTP Virtual Server, but the logs do NOT show any of the illegal login attempts.  Hence, I can't even identify the attacker's IP address so I can block it.

I'd love to sign up for an outsourced mail security service which would filter out viruses, spam and attackers.  However, we don't have the money in our budget to do it this year.

What other remedies do I have?  Is there a way to configure the SMTP server to temporarily stop accepting login attempts from an external source after, say, 5 failed login attempts?  Is there a good SMTP proxy device or software which can do this?  I do have a Sonicwall 2040 Pro, but I don't believe it has these capabilities.

Any suggestions will be appreciated!
Question by:guardian8xxx
    LVL 9

    Accepted Solution

    i am using a Watchguard XTM21 which does "intrusion detection". I have noticed that my ftp attacks have stopped, and would think that it would handle the SMTP attack in the same manner.
    LVL 42

    Expert Comment

    The Watchguard will do a good job but you may also make sure that all your accounts have strong password and if your users don't authenticate (owa, rpc/http,activesync, imap, pop) you can turn these services off and it can try to authenticate all it wants but it will not be able to get access
    LVL 9

    Expert Comment

    The OP never said they got in - its the attempt that would actually act like a denial of service since the server is so busy checking validation. That's why a perimeter firewall/intrusion protection was recommended.
    LVL 42

    Expert Comment

    missed that.  This is why strong passwords are critical, most of the time they get in on a service account like temp/temp..seen it too often.


    Author Comment

    Thanks for the responses so far.  We do have a policy that requires strong passwords, and users must change passwords frequently.  I've also renamed our admin account.

    Spoke to Sonicwall tech support (after waiting on hold for 30 minutes listening to freaking Enya) and they said that my Pro 2040's Intrusion Prevention Service will not recognize these attempted break-ins as an attack.  Rather, their advice was to identify the attacker's IP address via the firewall logs and then block the IP address.

    In other words, they have no solution.  Even if I blocked the IP address, the attacker is most likely a home user who gets a new IP address every few days.

    What I really want to know is what the attacker is doing specifically.  What SMTP commands is he executing against the SMTP server?  Is there a special subset of commands for authenticating to a Windows system?

    LVL 9

    Expert Comment

    The SMTP conversation is very succinct and to the point.

    "HELO <domain>"
    "Mail From: <user in the domai>"
    "Rcpt to: <end user>"
    "subject:<subject line>"
    "<email body........>"

    Thats the extent of the conversation (without authentication). With authentication there are extra messages.

    The bottom line is that you cannot possibly distinguish between a "good" conversation and a "bad" conversation.

    Without Intrusion protection there is absolutely no way to prevent this from occurring.
    LVL 42

    Assisted Solution

    Are they going into a single account or the random?  If random I doubt they'be broke in because they would have exploited the account and sent out 100Ks worth of emails.

    Your options are

    1.  Intrustion Detection
    2.  Intrusion Avoidance (postini, etc..)
    3.  VPN for authentication for external users, users would need to vpn in before accessing email
    LVL 27

    Expert Comment

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
    Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
    In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
    This video discusses moving either the default database or any database to a new volume.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now