Overview
While Kerio Connect server is located behind Kerio Control (connected to the LAN interface), the Connect Security logs report unusual IP addresses trying to access the mail server or guess user passwords:
SMTP: User nnhd@domain.com doesn't exist. Attempt from IP address 45.142.120.147.
SMTP: Authentication attempt from host x.x.x.x denied, insecure authentication not allowed
While checking the reported IP reputation scores, it shows a Poor rating.
These spammers' IP addresses can be rejected by Kerio Control traffic rules.
Solution
In Kerio Control Webadmin, create a separate traffic rule with the following data:
Source: <IP_addresses_reported_in_Connect_logs>
Destination: Firewall
Service: Any
Action: Drop
Note: 45.142.120.147 is just an example here.
Testing
Kerio Connect Security log does not report any SMTP authentication attempts any more. The packets are being dropped by the Kerio Control firewall. Debug logs with "Packets dropped for some reason" show the following:
{pktdrop} packet dropped: Traffic rule: Block Attacks Mail (from Ethernet 3, proto: TCP, len 60, 45.142.120.147:18874 -> 192.168.100.10:25, flags:[ SYN ], seq:3660268187 ack:0, win:29200, tcplen:0