Latest Announcemnent
New thread

Largen number of smptauth Failure

Status
Not open for further replies.
J

JeoRocker

Active Member
92
2012
2
0
Since few days my website is under attack with large number of SMTP Failure. Below is one example. By this my IP has been blacklisted and i am receiving abuse report for SPAMMING. Where in i have not done anything.

Would Appreciate some assistance on this issue.


MESSAGE

Time: Sat May 2 12:48:03 2015 +0200
IP: 105.225.85.183 (ZA/South Africa/85-225-105-183.north.dsl.telkomsa.net)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked: Permanent Block


Log entries:


2015-05-02 12:18:44 dovecot_plain authenticator failed for (Preshen) [105.225.85.183]:2102: 535 Incorrect authentication data (set_id=xcx)
2015-05-02 12:18:51 dovecot_login authenticator failed for (Preshen) [105.225.85.183]:2102: 535 Incorrect authentication data (set_id=xcx)
2015-05-02 12:19:00 dovecot_plain authenticator failed for (Preshen) [105.225.85.183]:2159: 535 Incorrect authentication data (set_id=xcx@domain.com)
2015-05-02 12:19:10 dovecot_login authenticator failed for (Preshen) [105.225.85.183]:2159: 535 Incorrect authentication data (set_id=xcx@domain.com)
2015-05-02 12:48:01 dovecot_plain authenticator failed for (Preshen) [105.225.85.183]:2443: 535 Incorrect authentication data (set_id=xcx)

REgards
 
3 comments
There's bots that will identify SMTP servers and try to brute force them. If you've been blacklisted then one has probably figured out a password for one of your logins and is sending out spam through it, you should be able to check the logs and see what login is sending them out.
 
check your logs, what you have send on emails.
change your passwords to s.th. new - use a strong password - for all accounts.
check if they got into your system, disable email and look into the error-logs.

there are many things you can do.

do you have installed the server yourself, do you have management or are you self-managed?
everything up2date?
 
SMTP Auth failures are common on active web servers. If this is a shared hosting server, the issue may be with client's local PCs being infected and trying to brute force through. If this is a cpanel server, I would recommend using cphulkd to auto block these attempts. If not, fail2ban would help as well
 
Status
Not open for further replies.
Back
Top