Since having suffered a hack twice on my email server, the last one VERY severe, I have been VERY proactive in monitoring my logs and taking appropriate action when I see attacks. I've installed MalwareBytes for servers and this software has been very effective in stopping about 95% of the brute force password attacks (among other types) and I've reported any who have gotten through. Given that I've been very effective in stopping the attacks the attackers have changed tactics. What I'm seeing a lot of now is computers/devices will connect to my server and execute a bunch of "Unrecognized command"s. The number of connections has increased to the point where it's having an impact on the servers performance. A lot of these IPs are listed on Spamhaus.org and other DNS blocking sites and my question is, is there anyway I can configure my firewall to block any IP address that is listed on these sites? The reason I want to do this besides the obvious, is that once a user has determined their machine is "infected" and cleans it up and has it removed from the blocklist, they then, as a potential customer would once again have access to my software. I'm not aware of any software that does this and figured I would post the question here as I'm sure there has to be someone out there who knows of a solution. Any assistance would be greatly appreciated. Thank you.
This is an example of what I'm seeing in my logs, I'm running the latest version of MDaemon on Windows Server 2012 R2:
The following is the associated POP3 log entries:
Mon 2023-05-01 11:31:54.682: Session 00775141; child 0001
Mon 2023-05-01 11:31:54.682: Accepting POP3 connection from 167.248.133.127:57754 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:54.761: Socket connection closed by the other side (how rude!)
Mon 2023-05-01 11:31:54.761: * Socket error 10053 - Connection abort.
Mon 2023-05-01 11:31:54.761: Connection closed
Mon 2023-05-01 11:31:54.762: POP3 session terminated, (Bytes in/out: 429/1692)
Mon 2023-05-01 11:31:54.762: ----------
Mon 2023-05-01 11:31:55.044: Session 00775142; child 0001
Mon 2023-05-01 11:31:55.044: Accepting POP3 connection from 167.248.133.127:36340 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:55.075: Socket connection closed by the other side (how rude!)
Mon 2023-05-01 11:31:55.075: * Socket error 10053 - Connection abort.
Mon 2023-05-01 11:31:55.075: Connection closed
Mon 2023-05-01 11:31:55.075: POP3 session terminated, (Bytes in/out: 429/1692)
Mon 2023-05-01 11:31:55.075: ----------
Mon 2023-05-01 11:31:55.357: Session 00775143; child 0001
Mon 2023-05-01 11:31:55.357: Accepting POP3 connection from 167.248.133.127:42256 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:55.360: * SSL negotiation failed, error code 0x80090331
Mon 2023-05-01 11:31:55.360: POP3 session complete (Bytes in/out: 350/0)
Mon 2023-05-01 11:31:55.360: ----------
Mon 2023-05-01 11:31:55.678: Session 00775144; child 0001
Mon 2023-05-01 11:31:55.678: Accepting POP3 connection from 167.248.133.127:47866 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:55.711: Socket connection closed by the other side (how rude!)
Mon 2023-05-01 11:31:55.711: * Socket error 10053 - Connection abort.
Mon 2023-05-01 11:31:55.711: Connection closed
Mon 2023-05-01 11:31:55.712: POP3 session terminated, (Bytes in/out: 336/1692)
Mon 2023-05-01 11:31:55.712: ----------
Mon 2023-05-01 11:31:55.997: Session 00775145; child 0001
Mon 2023-05-01 11:31:55.997: Accepting POP3 connection from 167.248.133.127:53762 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:56.027: Socket connection closed by the other side (how rude!)
Mon 2023-05-01 11:31:56.028: * Socket error 10053 - Connection abort.
Mon 2023-05-01 11:31:56.028: Connection closed
Mon 2023-05-01 11:31:56.028: POP3 session terminated, (Bytes in/out: 417/1692)
Mon 2023-05-01 11:31:56.028: ----------
The following is the SMTP log entries I get for IPs that are also blocked by this feature, the above IP has also executed this:
Sat 2023-04-29 09:40:13.202: Session 00773261; child 0001
Sat 2023-04-29 09:40:13.202: Accepting SMTP connection from 162.142.125.223:53396 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:13.205: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:13 -0400
Sat 2023-04-29 09:40:13.205: <-- ¨
Sat 2023-04-29 09:40:13.205: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.205: <--
Sat 2023-04-29 09:40:13.205: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.205: <-- À$ÀÀ¯À,ÀrÀsÌ©ÌÀÀÀÀ'À/ÀÀ(À0À`ÀaÀvÀw̨ÌÀ
Sat 2023-04-29 09:40:13.205: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.205: <--
Sat 2023-04-29 09:40:13.205: Too many errors encountered
Sat 2023-04-29 09:40:13.205: SMTP session terminated (Bytes in/out: 429/183)
Sat 2023-04-29 09:40:13.206: ----------
Sat 2023-04-29 09:40:13.514: Session 00773262; child 0001
Sat 2023-04-29 09:40:13.514: Accepting SMTP connection from 162.142.125.223:38992 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:13.516: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:13 -0400
Sat 2023-04-29 09:40:13.516: <-- ¨
Sat 2023-04-29 09:40:13.516: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.516: <-- <rá®RD²ã ¬Ë–?äžII!úXJ×…—÷c×mCà‚]¹ ÿºiƒ
Sat 2023-04-29 09:40:13.517: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.517: <-- ÀĮ̀ÀwÀvÀaÀ`À0À(ÀÀ/À'ÀÀÀÌÌ©ÀsÀrÀ,À¯ÀÀ$À
Sat 2023-04-29 09:40:13.517: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.517: <-- À+À®À¬À#À À
Sat 2023-04-29 09:40:13.517: Too many errors encountered
Sat 2023-04-29 09:40:13.517: SMTP session terminated (Bytes in/out: 429/183)
Sat 2023-04-29 09:40:13.517: ----------
Sat 2023-04-29 09:40:13.823: Session 00773263; child 0001
Sat 2023-04-29 09:40:13.823: Accepting SMTP connection from 162.142.125.223:52074 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:13.824: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:13 -0400
Sat 2023-04-29 09:40:13.825: <-- Y
Sat 2023-04-29 09:40:13.825: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.825: <-- À+À®À¬À#À À
Sat 2023-04-29 09:40:13.825: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.825: <--
Sat 2023-04-29 09:40:13.825: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:14.374: <--
Sat 2023-04-29 09:40:14.374: Too many errors encountered
Sat 2023-04-29 09:40:14.374: SMTP session terminated (Bytes in/out: 350/183)
Sat 2023-04-29 09:40:14.374: ----------
Sat 2023-04-29 09:40:14.655: Session 00773264; child 0001
Sat 2023-04-29 09:40:14.655: Accepting SMTP connection from 162.142.125.223:59426 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:14.658: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:14 -0400
Sat 2023-04-29 09:40:14.659: <-- K
Sat 2023-04-29 09:40:14.659: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:14.659: <--
Sat 2023-04-29 09:40:14.659: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:14.659: <--
Sat 2023-04-29 09:40:14.659: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:15.208: <--
Sat 2023-04-29 09:40:15.208: Too many errors encountered
Sat 2023-04-29 09:40:15.208: SMTP session terminated (Bytes in/out: 336/183)
Sat 2023-04-29 09:40:15.208: ----------
Sat 2023-04-29 09:40:15.488: Session 00773266; child 0001
Sat 2023-04-29 09:40:15.488: Accepting SMTP connection from 162.142.125.223:38688 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:15.490: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:15 -0400
Sat 2023-04-29 09:40:15.491: <-- œ
Sat 2023-04-29 09:40:15.491: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:15.491: <-- vk¢_[ UU
Sat 2023-04-29 09:40:15.491: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:15.491: <-- À+À®ÌÀ¬ÀÀ#
Sat 2023-04-29 09:40:15.491: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:15.491: <-- À
Sat 2023-04-29 09:40:15.491: Too many errors encountered
Sat 2023-04-29 09:40:15.491: SMTP session terminated (Bytes in/out: 417/183)
Sat 2023-04-29 09:40:15.491: ----------
Sat 2023-04-29 09:40:56.122: Session 00773271; child 0001
Sat 2023-04-29 09:40:56.122: Accepting SMTP connection from 167.248.133.52:42486 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:56.196: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Sat 2023-04-29 09:40:56.196: SMTP session terminated (Bytes in/out: 429/1692)
Sat 2023-04-29 09:40:56.196: ----------
Sat 2023-04-29 09:40:56.478: Session 00773272; child 0001
Sat 2023-04-29 09:40:56.478: Accepting SMTP connection from 167.248.133.52:53048 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:56.510: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Sat 2023-04-29 09:40:56.510: SMTP session terminated (Bytes in/out: 429/1692)
Sat 2023-04-29 09:40:56.510: ----------
Sat 2023-04-29 09:40:56.793: Session 00773273; child 0001
Sat 2023-04-29 09:40:56.793: Accepting SMTP connection from 167.248.133.52:33830 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:56.796: * SSL error 0x80090331 The client and server cannot communicate, because they do not possess a common algorithm.
Sat 2023-04-29 09:40:56.796: SMTP session terminated (Bytes in/out: 350/0)
Sat 2023-04-29 09:40:56.796: ----------
Sat 2023-04-29 09:40:57.102: Session 00773274; child 0001
Sat 2023-04-29 09:40:57.102: Accepting SMTP connection from 167.248.133.52:43136 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:57.133: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Sat 2023-04-29 09:40:57.133: SMTP session terminated (Bytes in/out: 336/1692)
Sat 2023-04-29 09:40:57.133: ----------
Sat 2023-04-29 09:40:57.414: Session 00773275; child 0001
Sat 2023-04-29 09:40:57.414: Accepting SMTP connection from 167.248.133.52:52120 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:57.450: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Sat 2023-04-29 09:40:57.450: SMTP session terminated (Bytes in/out: 417/1692)
Sat 2023-04-29 09:40:57.450: ----------
Sat 2023-04-29 09:41:52.287: Session 00773280; child 0001
Sat 2023-04-29 09:41:52.287: Accepting SMTP connection from 167.248.133.187:39424 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:52.289: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:52 -0400
Sat 2023-04-29 09:41:52.290: <-- ¨
Sat 2023-04-29 09:41:52.290: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.290: <-- À$ÀÀ¯À,ÀrÀsÌ©ÌÀÀÀÀ'À/ÀÀ(À0À`ÀaÀvÀw̨ÌÀ
Sat 2023-04-29 09:41:52.290: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.290: <--
Sat 2023-04-29 09:41:52.290: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.290: <--
Sat 2023-04-29 09:41:52.290: Too many errors encountered
Sat 2023-04-29 09:41:52.290: SMTP session terminated (Bytes in/out: 429/179)
Sat 2023-04-29 09:41:52.290: ----------
Sat 2023-04-29 09:41:52.598: Session 00773281; child 0001
Sat 2023-04-29 09:41:52.598: Accepting SMTP connection from 167.248.133.187:49952 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:52.600: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:52 -0400
Sat 2023-04-29 09:41:52.600: <-- ¨
Sat 2023-04-29 09:41:52.601: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.601: <--
Sat 2023-04-29 09:41:52.601: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.601: <-- ÀĮ̀ÀwÀvÀaÀ`À0À(ÀÀ/À'ÀÀÀÌÌ©ÀsÀrÀ,À¯ÀÀ$À
Sat 2023-04-29 09:41:52.601: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.601: <-- À+À®À¬À#À À
Sat 2023-04-29 09:41:52.601: Too many errors encountered
Sat 2023-04-29 09:41:52.601: SMTP session terminated (Bytes in/out: 429/179)
Sat 2023-04-29 09:41:52.601: ----------
Sat 2023-04-29 09:41:52.911: Session 00773282; child 0001
Sat 2023-04-29 09:41:52.911: Accepting SMTP connection from 167.248.133.187:59158 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:52.913: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:52 -0400
Sat 2023-04-29 09:41:52.913: <-- Y
Sat 2023-04-29 09:41:52.914: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.914: <-- À+À®À¬À#À À
Sat 2023-04-29 09:41:52.914: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.914: <--
Sat 2023-04-29 09:41:52.914: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.914: <--
Sat 2023-04-29 09:41:52.914: Too many errors encountered
Sat 2023-04-29 09:41:52.914: SMTP session terminated (Bytes in/out: 350/179)
Sat 2023-04-29 09:41:52.914: ----------
Sat 2023-04-29 09:41:53.220: Session 00773283; child 0001
Sat 2023-04-29 09:41:53.220: Accepting SMTP connection from 167.248.133.187:38580 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:53.223: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:53 -0400
Sat 2023-04-29 09:41:53.223: <-- K
Sat 2023-04-29 09:41:53.223: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:53.223: <--
Sat 2023-04-29 09:41:53.223: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:53.223: <--
Sat 2023-04-29 09:41:53.223: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:53.775: <--
Sat 2023-04-29 09:41:53.775: Too many errors encountered
Sat 2023-04-29 09:41:53.775: SMTP session terminated (Bytes in/out: 336/179)
Sat 2023-04-29 09:41:53.776: ----------
Sat 2023-04-29 09:41:54.057: Session 00773284; child 0001
Sat 2023-04-29 09:41:54.057: Accepting SMTP connection from 167.248.133.187:37494 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:54.058: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:54 -0400
Sat 2023-04-29 09:41:54.059: <-- œ
Sat 2023-04-29 09:41:54.059: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:54.059: <-- À+À®ÌÀ¬ÀÀ#
Sat 2023-04-29 09:41:54.059: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:54.059: <-- À
Sat 2023-04-29 09:41:54.059: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:54.059: <--
Sat 2023-04-29 09:41:54.059: Too many errors encountered
Sat 2023-04-29 09:41:54.059: SMTP session terminated (Bytes in/out: 417/179)
Sat 2023-04-29 09:41:54.059: ----------
