Abstract:

On average, university email systems face tens of thousands of brute force authentication attacks every month. Attackers will use the SMTP protocol authentication method to perform brute force authentication on email accounts of university teachers and students. Especially, it is difficult to identify and detect distributed brute force attacks and low-frequency slow brute force attacks, which is a huge threat to the resource consumption and account security of the mail server.Therefore, it is necessary to design a mail access control gateway for abnormal behavior, which can dynamically block malicious IP addresses by analyzing mail logs to capture abnormal attacks. The test results indicate that the gateway has constructed feature rules by analyzing email logs, extracting security events, and capturing abnormal behavior characteristics; based on the leaky bucket algorithm,low-frequency and distributed brute force attacking malicious IPs are captured, and dynamic blocking and lifting of malicious IPs are achieved through linkage with firewalls; designed and implemented an access control gateway and applied it to the campus network, successfully blocking 62% of attack traffic.

Key words: email gateway, access control system, log analysis, abnormal detection