Need a report on "smtp auth required" or an "smtp auth required" queue

Reply

Ray Pesek Posted: 1 Jul 2012 11:21 AM

rated by 0 users

If someone attempts to send an email to our Protected Domain using a From: email address in our Protected Domain, the connection is blocked and an "SMTP auth required" entry shows up in the Connection Log along with just the source IP address.

The Connection Log in the ESG v7.6.2 does not have enough information to figure out what happened nor is it filterable or searchable for that response. This could either be a legitimate email coming in from a vendor that changed their IP address or someone trying to spoof our internal domain with a malicious email. You literally have to look at every single log entry and there are tens of thousands a day. Exporting the Connection Log does not give the reason for the block; that's why you have to look at each line.

If the Connection Log had sortable columns it would make this a bit easier but without the Reason being part of the table it is still too time-consuming to do.

A queue and a report would be best because we could look at the entire email to see what the sender is trying to do. Being able to see the From: address would be a big help.

Even just adding the Reason to the Connection Log table and making the columns sortable would help a lot.

Thanks for listening,

Ray

Reply

Ray Pesek replied on 2 Jul 2012 4:10 PM

rated by 0 users

Websense support gave me a workaround. You can search the Connection Log for phrases "in the bubble". When the NDR is received, it says "SMTP authentication required". When you look in the bubble next to the Blocked message, it says "user authentication failed". So you can search the Connection Log for the word "authentication" and it finds what I was looking for.

For example, you can also search for "relay" and it will find source IPs trying to use you as an open relay.

Ray