Jump to content


Photo

Authentication Failure in Log


  • Please log in to reply
49 replies to this topic

#41 David Wagner

David Wagner
  • Members
  • 16 posts

Posted 05 October 2016 - 01:41 AM

Any Updates on this Topic? I guess not... sorry, but a case still exists 3 years? seriously?

 

we'd like to block a sender after 3 or 5 authentication failures and not after 500! to use this threshold together with the rate control is just stupid...



#42 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 05 October 2016 - 12:08 PM

While it has been prioritized, it has been back burnered for more important features such as Advanced Threat Detection and anti virus improvements.



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#43 opjose

opjose
  • Members
  • 249 posts
  • LocationWashington D.C. Area

Posted 12 October 2016 - 01:43 PM

+1 on David's suggestion.

 

Our system gets hammered by people using dictionary attacks on authentication (we don't use it at all since all e-mail origination is internal).



#44 David Wagner

David Wagner
  • Members
  • 16 posts

Posted 17 October 2016 - 08:07 AM

While it has been prioritized, it has been back burnered for more important features such as Advanced Threat Detection and anti virus improvements.

 

really? to block macro viruses on office documents... ? would be interesting to see that "feature priority list"



#45 Matt Kehler

Matt Kehler
  • Members
  • 1 posts

Posted 30 January 2017 - 11:54 AM

delete post



#46 Nathon Plumlee

Nathon Plumlee
  • Members
  • 3 posts

Posted 27 February 2017 - 08:06 PM

i don't understand why the ip filtering does not happen before authentication can be performed, on most other systems i've used it worked that way and eliminated a ton of traffic with login attempts. its like i need to put a real ip filtering system in front of the barracuda as it is not actually filtering ip addresses at all. seems totally backwards to me but it is what it is.



#47 Nathon Plumlee

Nathon Plumlee
  • Members
  • 3 posts

Posted 27 February 2017 - 08:14 PM

You can do that and it helps... however you'll go crazy trying to do this to each one.

 

I look for spammers/scammers hammering our anti-spam filter. e.g. any domain reporting over 2000+ or more attempts in a day, and I will block them at our FIREWALL (not the anti-spam system) so that they see no connectivity to our anti-spam system at all.

 

This has worked well. After a few months of doing this once a week or so, the most egregious scammer/spammers have gone away for us, though I keep monitoring things via e-mailed reports from the system.

 

i guess that's what i need to do, the ip filter on this thing seems pointless if it doesn't kick in until after an authentication attempt can be made, i thought i had a setting wrong or our system had an issue but calling tech support they confirmed that yes, an attempt to authenticate can be made even after the originating ip/block of ip addresses has been blocked. i was kind of shocked when tech support told me that this is by design, i suppose this may generate more sales of their firewall product though, i can't think of any other reason to implement it this way, definitely makes me want to look at other options once the terms are up for us



#48 opjose

opjose
  • Members
  • 249 posts
  • LocationWashington D.C. Area

Posted 27 February 2017 - 08:26 PM

Ultimately IP filtering is a band-aide solution.

 

I would prefer to see active Honey-Potting once a sender hits a settable limit.

 

That at the least slows them down, and at best hangs up the remote machines so much that they don't bother retrying.



#49 Sunair

Sunair
  • Members
  • 1 posts

Posted 18 April 2017 - 11:10 AM

Hey guys 4 years in, any update on this? I haven't seen anything in the release notes all the way up to 8.0.2, so I guess it's still being worked on?



#50 Thibaud Maes

Thibaud Maes
  • Members
  • 7 posts

Posted 31 October 2018 - 09:50 AM

Hi all,

 

I noticed this issue on our and multiple customer ESG's too.

Even if all these attempts fail and should fail in the future too, as we don't use authenticated relay, I think it's still very annoying, as it pollutes the message log massively...

 

A support ticket I created at Barracuda this week doesn't look like it will bring some help from their side... Their reply is to block those IP's on our Firewall. Well... that's probably a temporary solution as those IP's are likely to change in the future...

 

However, our nice firewall has the command "AUTH LOGIN" blocked BY DEFAULT when creating an SMTP proxy with the recommended settings. This does the trick... immediately... for all IP's.

Back in time I didn't choose to proxy SMTP traffic from the internet, because I didn't want our Firewall's security filters to interfere with Barracuda ESG, because this led to some unwanted side effects, but now I reactivated a proxy on it for this purpose (and disabled some of the security features so I don't get these unwanted effects back).

 

That's a good workaround for me, but I'd really like to see a solution from Barracuda, as I think it could be solved on the ESG also.

Why would it accept the AUTH LOGIN command while no authenticated relaying is configured? Just disable it and silently block IP's that are trying to use that. Would be a solution, non? eventually keep these logs somewhere for Barracuda support, but not in the message log.

 

Barracuda doesn't have to forget that if their customers start solving this on their Firewalls, they might also just start using their firewall's anti-spam features and the ESG goes straight to the recycle bin...

 

Hoping for some positive news regarding this...