DisableExtAUTH / Bad SMTP Authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

DisableExtAUTH / Bad SMTP Authentication

Dirk Kulmsee-2
Hi all,
i have completely disabled external SMTP authentication (DisableExtAUTH = on). Obviously my logs still show frequent auth attempts from all over the world. This would be reason enough for me to score those IPs.

Question: if DisableExtAUTH is set to "On", will an auth attempt trigger an IP score via autValencePB or would we need another PB setting for this?

(currently running ASSP version 2.5.2(16256) on Debian Linux with Perl 5.22)

Best regards
Dirk


------------------------------------------------------------------------------
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: DisableExtAUTH / Bad SMTP Authentication

Thomas Eckardt/eck
If DisableExtAUTH is set to "On", the AUTH offer is removed from the EHLO
reply and the AUTH command is a not allowed SMTP-command.
Like for all other not allowed SMTP commands, 'MaxErrors' is used to
penalize the sender.

If I think about .... - the idea is not bad. If DisableExtAUTH is set and
AUTH is used, an IP score via autValencePB should be used.
I'll implement this.

Thomas



Von:    "Dirk Kulmsee" <[hidden email]>
An:     "'ASSP development mailing list'"
<[hidden email]>
Datum:  18.09.2016 18:18
Betreff:        [Assp-test] DisableExtAUTH / Bad SMTP Authentication



Hi all,
i have completely disabled external SMTP authentication (DisableExtAUTH =
on). Obviously my logs still show frequent auth attempts from all over the
world. This would be reason enough for me to score those IPs.

Question: if DisableExtAUTH is set to "On", will an auth attempt trigger
an IP score via autValencePB or would we need another PB setting for this?

(currently running ASSP version 2.5.2(16256) on Debian Linux with Perl
5.22)

Best regards
Dirk


------------------------------------------------------------------------------
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------

_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: DisableExtAUTH / Bad SMTP Authentication

Dirk Kulmsee-2
Thank you for contantly improving ASSP,

If I look at the logs I find lines like these:

2016-09-27 08:57:22 [Worker_1] Info: Worker_1 got connection from MainThread
2016-09-27 08:57:22 [Worker_1] Connected: session:7F11F4205098
201.69.19.76:58216 > 192.168.12.242:25 > 127.0.0.1:125
2016-09-27 08:57:22 [Worker_1] 201.69.19.76 Disabled SMTP AUTH for External
IPs
2016-09-27 08:57:23 [Worker_1] [unsupported_AUTH] 201.69.19.76 AUTH not
allowed
2016-09-27 08:57:23 [Worker_1] 201.69.19.76 Message-Score: added 60
(autValencePB) for too many AUTH errors from 201.69.19.0, total score for
this message is now 60
2016-09-27 08:57:23 [Worker_1] 201.69.19.76 PB-IP-Score for '201.69.19.76'
is 180, added 60 for AUTHErrors
2016-09-27 08:57:23 [Worker_1] 201.69.19.76 [SMTP Error] 502 AUTH not
supported

And that's how we love it :-)

But I also see events like this:

2016-09-27 09:06:24 [Worker_1] Worker_1 wakes up
2016-09-27 09:06:24 [Worker_1] Info: Worker_1 got connection from MainThread
2016-09-27 09:06:24 [Worker_1] Connected: session:7F11A85A2640
108.174.203.170:44620 > 192.168.12.242:25 > 127.0.0.1:125
2016-09-27 09:06:24 [Worker_1] 108.174.203.170 Disabled SMTP AUTH for
External IPs
2016-09-27 09:06:24 [Worker_1] 108.174.203.170 disconnected:
session:7F11A85A2640 108.174.203.170 - processing time 0 seconds
2016-09-27 09:06:24 [Worker_1] Worker_1 will sleep now

2016-09-27 09:07:08 [Worker_1] Worker_1 wakes up
2016-09-27 09:07:08 [Main_Thread] Info: Main_Thread freed by idle Worker_1
in 0.019 seconds - got (ok)
2016-09-27 09:07:08 [Worker_1] Connected: session:7F11F49928A8
108.174.203.167:59077 > 192.168.12.242:25 > 127.0.0.1:125
2016-09-27 09:07:08 [Worker_1] 108.174.203.167 Disabled SMTP AUTH for
External IPs
2016-09-27 09:07:08 [Worker_1] 108.174.203.167 disconnected:
session:7F11F49928A8 108.174.203.167 - processing time 0 seconds
2016-09-27 09:07:08 [Worker_1] Worker_1 will sleep now


What is the difference? Is " Disabled SMTP AUTH for External IPs " already
logged before the client issues an auth request?

Best regards
Dirk



------------------------------------------------------------------------------
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: DisableExtAUTH / Bad SMTP Authentication

Thomas Eckardt/eck
>2016-09-27 08:57:22 [Worker_1] 201.69.19.76 Disabled SMTP AUTH for
External
>IPs
>2016-09-27 08:57:23 [Worker_1] [unsupported_AUTH] 201.69.19.76 AUTH not
>allowed

states:
- that SMTP AUTH is disabled for this IP
- the IP used AUTH

>2016-09-27 09:06:24 [Worker_1] 108.174.203.170 Disabled SMTP AUTH for
>External IPs
>2016-09-27 09:06:24 [Worker_1] 108.174.203.170 disconnected:

states:
- that SMTP AUTH is disabled for this IP
- the IP NOT used AUTH - instead disconnects

Thomas




Von:    "Dirk Kulmsee" <[hidden email]>
An:     "'ASSP development mailing list'"
<[hidden email]>
Datum:  27.09.2016 09:12
Betreff:        Re: [Assp-test] DisableExtAUTH / Bad SMTP Authentication



Thank you for contantly improving ASSP,

If I look at the logs I find lines like these:

2016-09-27 08:57:22 [Worker_1] Info: Worker_1 got connection from
MainThread
2016-09-27 08:57:22 [Worker_1] Connected: session:7F11F4205098
201.69.19.76:58216 > 192.168.12.242:25 > 127.0.0.1:125
2016-09-27 08:57:22 [Worker_1] 201.69.19.76 Disabled SMTP AUTH for
External
IPs
2016-09-27 08:57:23 [Worker_1] [unsupported_AUTH] 201.69.19.76 AUTH not
allowed
2016-09-27 08:57:23 [Worker_1] 201.69.19.76 Message-Score: added 60
(autValencePB) for too many AUTH errors from 201.69.19.0, total score for
this message is now 60
2016-09-27 08:57:23 [Worker_1] 201.69.19.76 PB-IP-Score for '201.69.19.76'
is 180, added 60 for AUTHErrors
2016-09-27 08:57:23 [Worker_1] 201.69.19.76 [SMTP Error] 502 AUTH not
supported

And that's how we love it :-)

But I also see events like this:

2016-09-27 09:06:24 [Worker_1] Worker_1 wakes up
2016-09-27 09:06:24 [Worker_1] Info: Worker_1 got connection from
MainThread
2016-09-27 09:06:24 [Worker_1] Connected: session:7F11A85A2640
108.174.203.170:44620 > 192.168.12.242:25 > 127.0.0.1:125
2016-09-27 09:06:24 [Worker_1] 108.174.203.170 Disabled SMTP AUTH for
External IPs
2016-09-27 09:06:24 [Worker_1] 108.174.203.170 disconnected:
session:7F11A85A2640 108.174.203.170 - processing time 0 seconds
2016-09-27 09:06:24 [Worker_1] Worker_1 will sleep now

2016-09-27 09:07:08 [Worker_1] Worker_1 wakes up
2016-09-27 09:07:08 [Main_Thread] Info: Main_Thread freed by idle Worker_1
in 0.019 seconds - got (ok)
2016-09-27 09:07:08 [Worker_1] Connected: session:7F11F49928A8
108.174.203.167:59077 > 192.168.12.242:25 > 127.0.0.1:125
2016-09-27 09:07:08 [Worker_1] 108.174.203.167 Disabled SMTP AUTH for
External IPs
2016-09-27 09:07:08 [Worker_1] 108.174.203.167 disconnected:
session:7F11F49928A8 108.174.203.167 - processing time 0 seconds
2016-09-27 09:07:08 [Worker_1] Worker_1 will sleep now


What is the difference? Is " Disabled SMTP AUTH for External IPs " already
logged before the client issues an auth request?

Best regards
Dirk



------------------------------------------------------------------------------
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------

_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test