Am 17.10.2011 17:51, schrieb Simon Brereton: > On 17 October 2011 11:31, Robert Schetterer <rob...@schetterer.org> wrote: >> Am 17.10.2011 17:16, schrieb Simon Brereton: >>> Hi >>> >>> This is a new one on me - I've never seen spammers attempt to use to SASL >>> Auth to inject spam. None of the users they are trying (newsletter, dummy, >>> test, etc.) exist, but what worries me is the illegal chars error - is this >>> a known vulnerability in dovecot they are trying to exploit? I'm running >>> 1:1.2.15-7 installed from apt-get.. >>> >>> Oct 17 15:07:16 mail postfix/smtpd[14422]: connect from >>> unknown[208.86.147.92] >>> Oct 17 15:07:16 mail dovecot: auth(default): >>> passdb(newslet...@mydomain.net,208.86.147.92): Attempted login with >>> password having illegal chars >>> Oct 17 15:07:17 mail dovecot: pop3-login: Disconnected (auth failed, 1 >>> attempts): user=<t...@mydomain.net>, method=PLAIN, rip=208.86.147.92, >>> lip=83.170.64.84 >>> Oct 17 15:07:18 mail postfix/smtpd[14403]: warning: 208.86.147.92: hostname >>> default-208-86-147-92.nsihosting.net verification failed: Name or service >>> not known >>> >>> >>> Simon >>> >> >> this maybe a brute force attack,or more easy someone missconfigured his >> client , you may use fail2ban etc to block it >> not directly related to dovecot > > 17 queries in 30 seconds is not a misconfigured client :) > > And I'm already using Fail2Ban - but as someone on this list pointed > out recently, that doesn't apply if they try X attempts on the same > connection. Although, I don't think that was case here - maybe I > should update my dovecot jail with that illegal chars line. But, be > that as it may - all these attempts failed because the user didn't > exist. What if the user exists though? Does this illegal chars make > a hole for them to enter through? > > Simon >
as i posted you offlist, this is a smtp attack, look at your i.e fail2ban postfix rules, fail2ban dovecot ruel is for banning pop3/imap brute force -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
