hMailServer forum

I have plain text SMTP authentication disabled, but of course that doesn't stop the bots from trying it. Every now and again I grep my logs for AUTH PLAIN and base64-decode the payload, just to see what the script kiddies are trying these days. Most of these attempts either use generic frequently-used passwords or else passwords gleaned from well-known data breaches.

Recently however I came across a repeated attempt to log in to my account with a specific, long string of random upper and lowercase letters, digits, and special characters. I use a password manager that creates random passwords for every site I use. Out of curiosity I searched my password manager and lo and behold, that string showed up as the password to an obscure forum. Since all my passwords are unique this could have only come from a data breach of this one specific forum. The forum administrators said they were unaware of a data breach, so this was news to them. Useful info!

Of course the vast majority of attacks use AUTH LOGIN, not AUTH PLAIN. Unfortunately the hMS log defaults to replacing the password with asterisks when an AUTH LOGIN is attempted.

Is there a way to record the password in the log, at least for failed login attempts? I understand that there's some security concerns with logging even failed attempts, but it seems like it would be a useful option (and, for that matter, both failed and successful AUTH PLAIN attempts are already getting logged).

I could see some use for that data

(I block port 25 AUTH though - so no value for me I don't think)
But passwords attempted on IMAP or POP3 ports or SMTP other than port 25 would be interesting.
I get a dozen IPs per day that I block by GEOIP

mattg wrote: ↑

2019-09-26 02:04

I could see some use for that data

(I block port 25 AUTH though - so no value for me I don't think)
But passwords attempted on IMAP or POP3 ports or SMTP other than port 25 would be interesting.
I get a dozen IPs per day that I block by GEOIP

I block AUTH on 25 too; still get dozens of attempts per day on 587. I don't allow POP3 but IMAP attempts would be interesting as well (although I only sporadically log IMAP, due to the volume).

Just had a look through my logs this month

Most of the AUTH PLAIN are from my own machine running thunderbird

I block international connections to IMAP, POP3 and non-port-25 SMTP (eg 587 & 465), so they probably don't get to try to login at all

mattg wrote: ↑

2019-09-26 06:18

Just had a look through my logs this month

Most of the AUTH PLAIN are from my own machine running thunderbird

Interesting, I run Thunderbird also but it never tries AUTH PLAIN. Must be setting difference in there somewhere ...

I block international connections to IMAP, POP3 and non-port-25 SMTP (eg 587 & 465), so they probably don't get to try to login at all

Unfortunately I can't block international connections except for a few specific high-problem countries (e.g. Albania, Viet Nam). I get tons of attempts from China, India, Russia, and Brazil, none of which I can block en masse due to occasional user travel.

Sort of OT, but Soren and I both have different method of handling that. Soren rejects all connections not on port 25 from everywhere except his home area - 3 countries, if I recall. Travellers must log in via webmail.

I use sort of the same approach but in a different way. I force connection through activesync (port 443) and simply block all mail ports except 25 at the router. This also works with webmail, of course. In this case, it doesn't matter where the client is. And no auth allowed on port 25. So no chance of failed logon unless its a bona fide user connecting through webmail or activesync. I also use OnClientLogon to notify me of failed passwords, which is always my mother so I can delete the autoban entry and get her going again.