Take a look at: http://hg.dovecot.org/dovecot-2.0/file/962df5d9413a/src/auth/auth-request.c
on line 536. That's the auth service catching illegal characters and rejecting the attempt. It'll happen with or without a valid user. So, working as it should. As for spammers trying to brute force valid logins, yep, pretty common. Higher rate of success if they can mail from a known good server and account. * Simon Brereton <simon.brere...@buongiorno.com> [2011-10-17 11:51:15 -0400]: > On 17 October 2011 11:31, Robert Schetterer <rob...@schetterer.org> wrote: > > Am 17.10.2011 17:16, schrieb Simon Brereton: > >> Hi > >> > >> This is a new one on me - I've never seen spammers attempt to use to SASL > >> Auth to inject spam. None of the users they are trying (newsletter, > >> dummy, test, etc.) exist, but what worries me is the illegal chars error - > >> is this a known vulnerability in dovecot they are trying to exploit? I'm > >> running 1:1.2.15-7 installed from apt-get.. > >> > >> Oct 17 15:07:16 mail postfix/smtpd[14422]: connect from > >> unknown[208.86.147.92] > >> Oct 17 15:07:16 mail dovecot: auth(default): > >> passdb(newslet...@mydomain.net,208.86.147.92): Attempted login with > >> password having illegal chars > >> Oct 17 15:07:17 mail dovecot: pop3-login: Disconnected (auth failed, 1 > >> attempts): user=<t...@mydomain.net>, method=PLAIN, rip=208.86.147.92, > >> lip=83.170.64.84 > >> Oct 17 15:07:18 mail postfix/smtpd[14403]: warning: 208.86.147.92: > >> hostname default-208-86-147-92.nsihosting.net verification failed: Name or > >> service not known > >> > >> > >> Simon > >> > > > > this maybe a brute force attack,or more easy someone missconfigured his > > client , you may use fail2ban etc to block it > > not directly related to dovecot > > 17 queries in 30 seconds is not a misconfigured client :) > > And I'm already using Fail2Ban - but as someone on this list pointed > out recently, that doesn't apply if they try X attempts on the same > connection. Although, I don't think that was case here - maybe I > should update my dovecot jail with that illegal chars line. But, be > that as it may - all these attempts failed because the user didn't > exist. What if the user exists though? Does this illegal chars make > a hole for them to enter through? > > Simon > -- Tom Pawlowski OIT-CSS System Administrator office: Hill 147 email: tom...@jla.rutgers.edu phone: (732) 445-2634
