hMailServer has a couple of spam protection measures built in, such as DNS blacklists and SURBL support. Among other features, you can also ban single IP adresses or IP ranges from connecting to your mail server.
While recently browsing through the log files, I noticed a couple of IP addresses which repeatedly connected to the mail server to log in, but kept their rate over the default 30 minutes auto-ban timer.
Interestingly those addresses chose to authenticate via AUTH LOGIN, but failed every time to provide a valid password. This results in a
535 Authentication failed
answer by the server, thus closing the conversation.
In the log file, the status code 535 looks like this
"SMTPD" 3228 21101 "2016-02-03 00:05:19.743" "xxx.xx.xx.xxx" "SENT: 535 Authentication failed. Too many invalid logon attempts."
To find the conversations ending in status code 535, we can simply grep or findstr the relevant log files
grep "SENT: 535" *.log
In the log files, IP address is logged in the sixth column, so we can iterate over the resulting lines with the shell’s for command with option /f “tokens=6”.
Then we sort and count
(for /f "tokens=6" %i in ('grep "SENT: 535" *.log') do @echo %i) | sort | uniq -c
To count the resulting IP addresses, I use my tool uniq, implemented after the Unix command uniq.
Similarly, one could also search for “550 Unknown user”.