Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 499 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Email Dictionary Attacks in MTA MODE?! (IMAP port 587 connections in MTA MODE displaying Sophos IP for source, not Attackers!)

Michael Zietlow

How do we make XG report Public address of IMAP/SMTP/POP connections when in MTA mode?

This week I had to deal with a Dictionary attacker probing our mail server for valid accounts about 20-30 per minute. The logs on the mail server were woefully inadequate while in MTA Mode.  Since Sophos intercepts email traffic and reverse proxy's the trafic to the Servers,  I only see the Sophos IP doing the IMAP port 587/tcp connections.

To stop the attack I had to activate ssh ON the sophos, tcpdump 'port 587', and correlate the time stamp between Sophos & the Mail Server of a dictionary attack.
I was then able to block the public address space on the firewall to cease the attack.

Is there a way to make Sophos not report itself but the original source addresses while in MTA mode?



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    In MTA mode XG works as a standalone proxy(additional mail server).

    It receives an email on SMTP/SMTPS and then routes that email to the internal mail server.

    As XG itself routes the email to the internal mail server, the server will see the IP address of the local interface.