Mobile app version of vmapp.org
Login or Join
Mendez628

: IP blocked because: (smtpauth) Failed SMTP AUTH login from - can someone explain? Today I had a few users blocked in our server firewall because of: (smtpauth) Failed SMTP AUTH login from

@Mendez628

Posted in: #Smtp

Today I had a few users blocked in our server firewall because of:

(smtpauth) Failed SMTP AUTH login from

Can someone explain the reason? What does it exactly mean? Could someone be using the our website to access SMTP for spamming purpose?

UPDATE:

Server info:
Centos OS with CPanel and WHM. However no one has access to either.

Taking a look at the logs it looks like someone repetitively attempted to login with a known existent user/pass.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Mendez628

1 Comments

Sorted by latest first Latest Oldest Best

 

@Ann8826881

This link gives us a clue:
isc.sans.edu/forums/diary/CSAM+WebHosting+BruteForce+logs/16733
It appears that you have a script that blocks suspect accesses found in your log files. This is good, however, it may be blocking valid users too. You can find out more here: configserver.com/cp/csf.html
It appears from your error that you may be experiencing a brute force password cracking effort against your SMTP server (e-mail). This is bad, however, your script is protecting you.

This script may be blocking a specific IP address from a pool or blocking a domain name that represents a user pool which would block all users of that pool.

You can block the specific IP address found in your log files using firewall or iptables or whatever mechanism you have that restricts access to your server. If you have a domain name, you can use:

nslookup example.com


...to lookup the IP address.

If the domain name is something like generic-term.example.com where generic term can be something like user, customer, host, or something similar, then you may not get an IP address or at least not the proper one. This is a domain name of a pool like I suggested above. If you do not have an IP address in your log file, then blocking the pool may restrict valid accesses from that entire network. Even blocking the IP address can block accesses from a valid user. Even then, tomorrow the same thing can happen from another IP address from that pool.

There may be nothing you can do either way but to block access and suffer the consequences. It may be that you will need to keep an eye on your log files and block accesses by IP address as they occur.

Without more specific information, I am unable to give better advice except this. You want this script to do what it is doing. You may need to apologize to a few users, but at least you are not sending out thousands of spam e-mail from a hacked account.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme