Made a powershell script to parse SMTP Receiving log

Norlig · February 8, 2020, 9:20am

Hi,I made the below Powershell script so that I can catch any attempted auto-logins or relay attempts from malicious servers.

You need to have the Log Level for the SMTP Receiving Service set to “Protocol Communication” and ‘Local Services Log’ for SMTP Receiving should be its own file, you can use “SMTP Receiving.txt” like me or change the location/filename in the script.

The script will then output to a logfile where you will get the IP Address that tried to connect to your mail server, where it tried to connect from, and how many times it tried to connect.

With that info, I add the IP addresses in the ‘Global Access Control’ as a denied IP, or IP Range if I see that it’s a larger IP Range.

I run the script once per day and update the Global access list a few times a week.

This has majorly reduced the allowed connections to my Mail server, as it is being blocked immediately.

Hope this can be used by someone else

$SMTPLog = ".\SMTP Receiving.txt"
$FileContent = Get-Content "$SMTPLog"
$keywordPattern = "Authentication failed"
$dataPattern = "closing session from"
$found = $false
$found1 = $false
$Today = get-date -format dd.MM.yyyy
$Logfile = ".\SMTP Receiving check_$Today.log"

function Get-IPGeolocation {
  Param
  (
    [string]$IPAddress
  )
 
  $request = Invoke-RestMethod -Method Get -Uri "http://ip-api.com/json/$IPAddress"
 
  [PSCustomObject]@{
    IP      = $request.query
    City    = $request.city
    Country = $request.country
    Isp     = $request.isp
  }
}

foreach ($line in $FileContent) {
    if ($line.contains($keywordPattern)) {
        $found = $true
    }
    if (($line.contains($dataPattern)) -and ($found)) {
        # https://stackoverflow.com/questions/11299893/powershell-regex-check-for-string-between-brackets
        $r = [regex] "\[([^\[]*)\]"
        $match = $r.match("$line")
        $text = $match.groups[1].value
        $text1 = $text.split(':')[0]
        if (test-path $Logfile) {
            $LogContent = Get-Content $Logfile
            if (-not($LogContent -like "*$text1*")) {
                Get-IPGeoLocation -ipaddress $text1 >> $LogFile
                $A = Get-ChildItem -Path $SMTPLog | Select-String -Pattern "$text1"
                $CountMatches = [math]::Round($A.Matches.Length/2)
                Write-Output "Found '$Text1' $CountMatches Times" >> $LogFile
                Write-Output "------------------------------------------------" >> $LogFile

            }
        }else {
            Get-IPGeoLocation -ipaddress $text1 >> $LogFile
             $A = Get-ChildItem -Path $SMTPLog | Select-String -Pattern "$text1"
             $CountMatches = [math]::Round($A.Matches.Length/2)
             Write-Output "Found '$Text1' $CountMatches Times" >> $LogFile
             Write-Output "------------------------------------------------" >> $LogFile
        }
        $found = $false
    }
}

This is an example of an output I got today, a relay attempt from Germany:

[SMTP Receiving check_08.02.2020.log]

IP           City            Country Isp           
--           ----            ------- ---           
93.190.93.19 Mönchengladbach Germany comtrance GmbH


Found '93.190.93.19' 298 Times
------------------------------------------------

This is my ‘SMTP Receiving.txt’ logfile before and after I added the block:

2020-02-08 09:43:01 +0100 08 Petter-HTPC SMTP-IN:00001733: [192.168.10.10:25] connection accepted from [93.190.93.19:52321]
2020-02-08 09:43:01 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 220 Petter-HTPC Axigen ESMTP ready
2020-02-08 09:43:01 +0100 16 Petter-HTPC SMTP-IN:00001733: << EHLO WIN-LOBKB31JBST
2020-02-08 09:43:01 +0100 08 Petter-HTPC SMTP-IN:00001733: DSN extension denied
2020-02-08 09:43:01 +0100 08 Petter-HTPC SMTP-IN:00001733: Set remote delivery to auth
2020-02-08 09:43:01 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 250-Petter-HTPC Axigen ESMTP hello
2020-02-08 09:43:01 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 250-PIPELINING
2020-02-08 09:43:01 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
2020-02-08 09:43:01 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
2020-02-08 09:43:01 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 250-8BITMIME
2020-02-08 09:43:01 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 250-BINARYMIME
2020-02-08 09:43:01 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 250-CHUNKING
2020-02-08 09:43:01 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 250-SIZE 10485760
2020-02-08 09:43:01 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 250-STARTTLS
2020-02-08 09:43:01 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 250-HELP
2020-02-08 09:43:01 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 250 OK
2020-02-08 09:43:01 +0100 16 Petter-HTPC SMTP-IN:00001733: << AUTH gssapi ********
2020-02-08 09:43:04 +0100 02 Petter-HTPC SMTP-IN:00001733: sasl_server_start error: ‘SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Key table file ‘C:\Windows\krb5kt’ not found)’
2020-02-08 09:43:04 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 535 Authentication failed
2020-02-08 09:43:04 +0100 02 Petter-HTPC SMTP-IN:00001733: Authentication error: Generic error
2020-02-08 09:43:04 +0100 16 Petter-HTPC SMTP-IN:00001733: << AUTH login ********
2020-02-08 09:43:04 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 334 UGFzc3dvcmQ6
2020-02-08 09:43:04 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 334 ********
2020-02-08 09:43:04 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 535 Authentication failed
2020-02-08 09:43:04 +0100 02 Petter-HTPC SMTP-IN:00001733: Authentication error for user ‘forever’: Account not found locally
2020-02-08 09:43:04 +0100 16 Petter-HTPC SMTP-IN:00001733: << MAIL FROM:forever@customer.lyse.net
2020-02-08 09:43:04 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 250 Sender accepted
2020-02-08 09:43:04 +0100 16 Petter-HTPC SMTP-IN:00001733: << RCPT TO:luisvela1029@gmail.com
2020-02-08 09:43:04 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 550 Relay denied for <gmail.com>
2020-02-08 09:43:04 +0100 08 Petter-HTPC SMTP-IN:00001733: Reject relay to gmail.com for mail 07A03A
2020-02-08 09:43:04 +0100 16 Petter-HTPC SMTP-IN:00001733: >> 421 Petter-HTPC remote peer has closed connection
2020-02-08 09:43:04 +0100 08 Petter-HTPC SMTP-IN:00001733: closing session from [93.190.93.19]
2020-02-08 09:43:04 +0100 04 Petter-HTPC SMTP-IN:00000000: TCPListener[0.0.0.0:25]: connection from [93.190.93.19:62292] rejected due to service-level rules
2020-02-08 09:43:05 +0100 04 Petter-HTPC SMTP-IN:00000000: TCPListener[0.0.0.0:25]: connection from [93.190.93.19:53904] rejected due to service-level rules
2020-02-08 09:43:06 +0100 04 Petter-HTPC SMTP-IN:00000000: TCPListener[0.0.0.0:25]: connection from [93.190.93.19:50598] rejected due to service-level rules

Norlig · July 24, 2020, 9:13am

Updated script attached.
Will now automatically add the IP to the windows firewall, if the failed login attempts reaches 20 or more per day
(can be changed in the top of the script)

You need a separate log file for “SMTP Receiving” Not sure if it needs to be set to Protocol Logging, but mine is.
Log file rotation set to Daily, so it rotates at midnight
I set this to run as a scheduled task, at 23:30 every day.

change the file extension to .ps1, it also needs to run elevated (as administrator)

SMTP Receiving check.txt (4.9 KB)