IBM Support

Preventing SMTP dictionary attacks against Domino, and brute force / dictionary attacks against IMAP,POP3,LDAP,and HTTP.

Technote (troubleshooting)


This document applies only to the following language version(s):

English

Problem

You are trying to prevent external attempts to compromise user credentials through a dictionary attack against SMTP, or IMAP, LDAP, HTTP.

Symptom

A symptom, your SMTP server is sending out a lot of spam messages.


Cause

User credentials may have been compromised through a dictionary attack against SMTP, IMAP, LDAP, HTTP.

Environment

Any Domino server running SMTP(or other Domino internet protocol mentioned above), and exposed to the Internet.

Diagnosing the problem

AUTH is a feature of SMTP which is enabled and located in the Server document under Ports > Internet Ports > Mail > (SMTP Inbound) port 25.

Name & password, when set to yes, allows users from outside your server located anywhere on the Internet to use their Internet credentials to send SMTP mail through your server.

The next field for Anonymous needs to be set to Yes so that you anonymously receive mail from the Internet. Setting this to No would stop all inbound Internet SMTP mail.



How to determine if a user's credentials have been compromised:

1. Enable SMTPDebugIO=3 and set log_sessions=2 in the notes.ini file.

2. Restart the SMTP task on the Domino server. From the log output you will see where the login is occurring (IP address) and the user's name being used to relay.

3. Change the Internet password for this user to a strong password.

Keep in mind that it is possible multiple user credentials have been compromised.


Resolving the problem

You can use the following feature to lockout failed attempts to gain access to your server. This feature works for SMTP, IMAP, LDAP,and HTTP. If SMTP AUTH is being used by hand-held devices for mail, consider using Traveler which is a free add-on to Domino providing a much better end user experience over IMAP and SMTP. If being used by 3rd party clients, consider using iNotes, or IBM Notes over port 1352 from the Internet.

If you are mandated to use AUTH, there is additional functionality in Domino which will help prevent dictionary attacks in attempt to compromise a user's name and credentials. This feature will greatly reduce user credentials from being compromised moving forward.













In addition to these settings in the Configuration document for your Domino SMTP gateway, you will also need the Internet password lockout DB "inetlockout.nsf". This database will log SMTP auth login failures and will also lock out users when their login failures reach maximum tries allowed.



Once a user is locked out in the Internet lockout database, delete the entry to allow the user to again login.

Related information

A simplified Chinese translation is available

Document information

More support for: IBM Domino
Mail Server

Software version: 8.0, 8.5, 9.0

Operating system(s): AIX, IBM i, Linux, Solaris, Windows, z/OS

Software edition: All Editions

Reference #: 1677487

Modified date: 30 April 2015


Translate this page: