Community Discussions and Support
Brute force AUTH LOGIN attack

Thanks Rolf,

 

I've downloaded your event daemon, and will play around with it tomorrow. It looks like this should put a crimp on AUTH LOGIN abuse.

The more I get in to Mercury the more I like it - it has some very powerful features like the transaction level filtering, and the ability to add third party daemons.

I'm liking this a lot.

Thanks again for your time Rolf.

 

John. 

<p>Thanks Rolf,</p><p> </p><p>I've downloaded your event daemon, and will play around with it tomorrow. It looks like this should put a crimp on AUTH LOGIN abuse.</p><p><span style="font-size: 10pt;">The more I get in to Mercury the more I like it - it has some very powerful features like the transaction level filtering, and the ability to add third party daemons.</span></p><p><span style="font-size: 10pt;">I'm liking this a lot.</span></p><p><span style="font-size: 10pt;">Thanks again for your time Rolf.</span></p><p> </p><p><span style="font-size: 10pt;">John. </span></p>

Hello all,

One problem I am having, which I can't find a solution to, is the now common AUTH LOGIN brute force attack. These tend to go on for several hours and because the BOT doesn't care about protocols, continue even if you blacklist their IP (Mercury responds with Temporary Blacklist error). Sometimes the attack is mounted from TOR, so the originating IP changes 2 or 3 times during the attack!

There doesn't seem to be a "Limit number of failed AUTH LOGIN's" in MercuryS, and I can't find a reliable way of preventing the attacks.

Does anyone have any thoughts on this?

Does anyone know if there are plans to add tools to Mercury, like limiting the number of failed AUTH LOGIN's from the same IP?

Thank you in advance

John,

I've attached some "joined up" session logs showing the problem.  

 

  

<p>Hello all,</p><p>One problem I am having, which I can't find a solution to, is the now common AUTH LOGIN brute force attack. These tend to go on for several hours and because the BOT doesn't care about protocols, continue even if you blacklist their IP (Mercury responds with Temporary Blacklist error). Sometimes the attack is mounted from TOR, so the originating IP changes 2 or 3 times during the attack!</p><p>There doesn't seem to be a "Limit number of failed AUTH LOGIN's" in MercuryS, and I can't find a reliable way of preventing the attacks.</p><p>Does anyone have any thoughts on this?</p><p>Does anyone know if there are plans to add tools to Mercury, like limiting the number of failed AUTH LOGIN's from the same IP?</p><p>Thank you in advance</p><p>John,</p><p><span style="font-size: 10pt;">I've attached some "joined up" session logs showing the problem.  </span></p><p> </p><p> <span style="font-size: 10pt;"> </span></p>

You could try using my SMTP Event daemon that attempts to catch various kinds of bad behavior including AUTH attacks and DDoS attacks: http://community.pmail.com/files/folders/community_add-ons_for_mercury/entry29759.aspx

There is a newer version with integrated Spamhaus checking and some other new stuff that is still not publicly released, but if interested I can email a download link. 

<p>You could try using my SMTP Event daemon that attempts to catch various kinds of bad behavior including AUTH attacks and DDoS attacks: http://community.pmail.com/files/folders/community_add-ons_for_mercury/entry29759.aspx</p><p>There is a newer version with integrated Spamhaus checking and some other new stuff that is still not publicly released, but if interested I can email a download link. </p>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Cancel
Delete
Pending draft ... Click to resume editing
Discard draft