On 17 October 2011 11:31, Robert Schetterer <rob...@schetterer.org> wrote: > Am 17.10.2011 17:16, schrieb Simon Brereton: >> Hi >> >> This is a new one on me - I've never seen spammers attempt to use to SASL >> Auth to inject spam. None of the users they are trying (newsletter, dummy, >> test, etc.) exist, but what worries me is the illegal chars error - is this >> a known vulnerability in dovecot they are trying to exploit? I'm running >> 1:1.2.15-7 installed from apt-get.. >> >> Oct 17 15:07:16 mail postfix/smtpd[14422]: connect from >> unknown[208.86.147.92] >> Oct 17 15:07:16 mail dovecot: auth(default): >> passdb(newslet...@mydomain.net,208.86.147.92): Attempted login with password >> having illegal chars >> Oct 17 15:07:17 mail dovecot: pop3-login: Disconnected (auth failed, 1 >> attempts): user=<t...@mydomain.net>, method=PLAIN, rip=208.86.147.92, >> lip=83.170.64.84 >> Oct 17 15:07:18 mail postfix/smtpd[14403]: warning: 208.86.147.92: hostname >> default-208-86-147-92.nsihosting.net verification failed: Name or service >> not known >> >> >> Simon >> > > this maybe a brute force attack,or more easy someone missconfigured his > client , you may use fail2ban etc to block it > not directly related to dovecot
17 queries in 30 seconds is not a misconfigured client :) And I'm already using Fail2Ban - but as someone on this list pointed out recently, that doesn't apply if they try X attempts on the same connection. Although, I don't think that was case here - maybe I should update my dovecot jail with that illegal chars line. But, be that as it may - all these attempts failed because the user didn't exist. What if the user exists though? Does this illegal chars make a hole for them to enter through? Simon
