Mail Enable Log (Hacked?)

I've been receiving emails to POSTMASTER which prompted me to find out why emails were being returned. While checking the log files in Mail Enable I stumbled across hacking attempts.

The first few files were attempts at logging in e.g.

But when I carried on seiving through the logs I found a couple of entries like:

This looks like the user has actually logged in to me (am I wrong here?)....

I know that the IP addresses have no business being in the server whether its email or whatnot as its a server for our business, no outside clients have access (or shouldn't have access).

Anyway, further inspection on the IP addresses that I believe have authenticated show that they are indeed known hackers.

One of them obviously gets me a little worried:

I know I could simply ban the IP address, but there seems to be quite a few of them, is there anything I can do to prevent whats happening or at least get Mail Enable to notify me of hacking attempts?

 

Don't think so. I don't know Mailenable's responses (you can probably look them up) but it looks to me like it's just the server saying "OK, IMAP is working, so lets communicate" in reponse to an incoming IMAP connection. The next thing would be for the person connecting to log in. I'd guess you were OK.

If you're concerned about someone brute-forcing then make sure you use a strong password (goes without saying), and if you know these IP's are "bad" then why not deny them access at the firewall or through some other process on the email server? They will connect on different ones, but why let known bad IPs connect when you have that information to hand.

 

I would also recommend installing a firewall, like csf or apf. They can detect brute force attempts and temporarily ban the ip.

 

Is that Windows Server compatible?

 

No, they are not. csf & apf are compatible with Linux distros.

 

Do you by any chance know of any alternatives that notify the administrator of brute force attempts? I'm surprised that MailEnable doesn't have that built in, I would never know unless I was categorically looking.

 

For brute force attacks you can configure Abuse Detection and Prevention. Also consider configuring password lockout policy.

MailEnable Admin MMC >> Servers >> Localhost Properties >> Abuse Detection and Prevention.

 

I don't seem to have that option, I'm running Standard Edition, would that make a difference?

 

It's added in MailEnable's Professional release.

But in Standard, there is a way to automatically block hosts after certain invalid SMTP logins. It is under SMTP "security" properties window in the "Connection dropping" section. Tick the option for "Add to denied IP addresses if this number is reached".

I hope this helps

 

Perfect thanks. Would have thought notifying the administrator would be a basic setting and in the Standard Edition.

 

You are welcome