Page 1 of 1

Block trigger for too many "AUTH command used when not advertised" on Exim

Posted: 09 Nov 2017, 18:04
by Adambean
Hello there,

Nearly all of my servers that run Exim are constantly being attacked by remote nodes trying to brute through an AUTH command before advertised. Every day I get a big list of AUTH command used when not advertised in logwatch.

On a daily basis I'm blacklisting these remote nodes, because I know for certain they are scanning for open relays. Quite a big giveaway is also the HELO being "ylmf-pc", a known botnet trying to send out spam and such.

Would it be in LFD's scope to have a feature whereby it can block a remote node if it triggers this auth failure too many times within a given time frame, in the same way incorrect auth credentials can be? I did come across "SMTPAUTH_RESTRICT" but that doesn't quite look like what I'm after.

Re: Block trigger for too many "AUTH command used when not advertised" on Exim

Posted: 21 Nov 2017, 16:15
by ForumAdmin
From what I can see excessive "AUTH command used when not advertised" occurs when an AUTH command is used before HELO which establishes which commands are available. This only seems to manifest in the exim_mainlog once too many have been attempted with the error:

Code: Select all

dropped: too many syntax or protocol errors (last command was "AUTH LOGIN")
or, if a valid HELO has been issues, the log shows:

Code: Select all

Incorrect authentication data
The former should be trapped by LF_SMTPAUTH, the latter by LF_EXIMSYNTAX. If you are seeing different log lines, you need to quote them in full to see if anything further is needed.

Re: Block trigger for too many "AUTH command used when not advertised" on Exim

Posted: 25 Nov 2017, 23:08
by Adambean
Hello,

I do already have both LF_SMTPAUTH and LF_EXIMSYNTAX set to 5, so this should be quite aggressive? Too many "Incorrect authentication data" does correctly get blocked, it's just the "AUTH command used when not advertised" doesn't seem to ever get blocked.

I guess what is happening is that Exim only considers a syntax error when too many "dropped: too many syntax or protocol errors (last command was "AUTH LOGIN")" happens. I'm not sure how many, might be 3-5, but that could really mean that 15-25 attempts to use AUTH before advertised would be needed to trigger a block. Maybe I should set "LF_EXIMSYNTAX" as low as 2 to help pick up more of this.

A snip from yesterday's logwatch:

Code: Select all

2017-11-24 00:14:49 dovecot_login authenticator failed for (User) [80.82.x.x]: 535 Incorrect authentication data (set_id=admin): 1 Time(s)
 2017-11-24 00:15:29 SMTP protocol error in "AUTH LOGIN" H=x.red-80-33-x.staticip.rima-tde.net (reece.wales) [80.33.x.x] AUTH command used when not advertised: 1 Time(s)
 2017-11-24 00:30:08 SMTP protocol error in "AUTH LOGIN" H=(reece.wales) [196.22.x.x] AUTH command used when not advertised: 1 Time(s)
 2017-11-24 01:07:19 dovecot_login authenticator failed for (User) [80.82.x.x]: 535 Incorrect authentication data (set_id=root): 1 Time(s)
 2017-11-24 01:30:44 dovecot_login authenticator failed for (User) [24.154.x.x]: 535 Incorrect authentication data (set_id=spam@reece.wales): 1 Time(s)
 2017-11-24 01:43:47 SMTP protocol error in "AUTH LOGIN" H=remote.jacomms.com (reece.wales) [103.83.x.x] AUTH command used when not advertised: 1 Time(s)
 2017-11-24 01:58:26 SMTP protocol error in "AUTH LOGIN" H=(reece.wales) [197.148.x.x] AUTH command used when not advertised: 1 Time(s)
 2017-11-24 01:59:55 dovecot_login authenticator failed for (User) [80.82.x.x]: 535 Incorrect authentication data (set_id=backup): 1 Time(s)
 2017-11-24 02:13:20 SMTP protocol error in "AUTH LOGIN" H=(reece.wales) [191.190.x.x] AUTH command used when not advertised: 1 Time(s)
 2017-11-24 02:42:46 SMTP protocol error in "AUTH LOGIN" H=net-31-27-x-x.cust.vodafonedsl.it (reece.wales) [31.27.x.x] AUTH command used when not advertised: 1 Time(s)