LFD email reporting doesn't show user for SMTP blocking

[danielr]

Fellows,

We have multiple servers with cPanel using CSF/BFD Firewall and have noted that, comparing that with CWP7Pro, there is an important difference between the LFD email blocking reports which is affecting the troubleshooting.

Let me explain that better:

In cPanel we get this kind of LFD blocking emails:

Code: Select all

Subject: lfd on server02.1ahost.com: blocked 185.28.39.67 (enchanted.tretacting.com)
Body:
Time:     Thu Jun 22 05:12:10 2023 -0400
IP:       185.28.39.67 (enchanted.tretacting.com)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_SMTPAUTH]

Log entries:

2023-06-22 05:10:34 dovecot_login authenticator failed for (7nFryF6x) [185.28.39.67]:49501 I=[63.247.64.66]:25: 535 Incorrect authentication data (set_id=missabores@arotecmar.com)
2023-06-22 05:10:57 dovecot_login authenticator failed for (FLbYdz) [185.28.39.67]:50062 I=[63.247.64.66]:25: 535 Incorrect authentication data (set_id=missabores@arotecmar.com)
2023-06-22 05:11:21 dovecot_login authenticator failed for (STvwTfvIyi) [185.28.39.67]:51349 I=[63.247.64.66]:25: 535 Incorrect authentication data (set_id=missabores@arotecmar.com)
2023-06-22 05:11:44 dovecot_login authenticator failed for (TMaKa04R) [185.28.39.67]:51820 I=[63.247.64.66]:25: 535 Incorrect authentication data (set_id=missabores)
2023-06-22 05:12:07 dovecot_login authenticator failed for (F1rr1X) [185.28.39.67]:50045 I=[63.247.64.66]:25: 535 Incorrect authentication data (set_id=missabores)

In cWP:

Code: Select all

Subject: lfd on server04.1ahost.com: blocked 45.173.197.47 (VE/Venezuela/-)
Body: 
Time:     Wed Jun 21 11:51:08 2023 -0400
IP:       45.173.197.47 (VE/Venezuela/-)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_SMTPAUTH]

Log entries:

Jun 21 11:01:25 server04 postfix/smtpd[2835386]: warning: unknown[45.173.197.47]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 21 11:50:19 server04 postfix/smtpd[2861043]: warning: unknown[45.173.197.47]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 21 11:50:37 server04 postfix/smtpd[2868003]: warning: unknown[45.173.197.47]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 21 11:50:50 server04 postfix/smtpd[2870459]: warning: unknown[45.173.197.47]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 21 11:51:03 server04 postfix/smtpd[2862666]: warning: unknown[45.173.197.47]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

As you can see, at the email coming from the LFD at the cPanel server, the account user as well as the email account address shows the information about the real values, while at the email coming from the LFD at the CWP server, it just says "unknown".

How could we solve this situation?

Thanks in advance for your appreciated support on this matter.

Dan

[Sergio]

Hello Dan,
Do you speak Spanish?
If so, then I can help you in that language if you want.

As a security issue, never write your real domain or server name in a forum, it is better to write something else.

Any way, What I am seeing is that the account "missabores@yourdomain.com" is wrong configured and LFD is telling you this.
If you see the Iine:

2023-06-22 05:12:07 dovecot_login authenticator failed for (F1rr1X) [185.28.39.67]:50045 I=[63.247.64.66]:25: 535 Incorrect authentication data (set_id=missabores)

it is not right, it has to include "@yourdomain.com" if you only write "missabores" your IP after a few errors will be blocked.
Check your mail settings and write the full email address.

Sergio