On 23/05/2024 08:33, Northwind via Postfix-users wrote:
Hello list,
In the last two days, my mail system (small size) met attacks.
mail.log shows a lot of this stuff:
May 23 06:24:29 mx postfix/smtpd[2655149]: warning:
unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 23 06:24:37 mx postfix/smtps/smtpd[2655958]: warning:
unknown[111.53.52.116]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 23 06:24:37 mx postfix/smtpd[2655819]: warning:
unknown[194.169.175.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 23 06:24:40 mx postfix/smtpd[2655040]: warning:
unknown[194.169.175.17]: SASL LOGIN authentication failed: Connection
lost to authentication server
May 23 06:24:50 mx postfix/smtps/smtpd[2656489]: warning:
unknown[105.16.161.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 23 06:24:52 mx postfix/smtps/smtpd[2655958]: warning:
unknown[59.0.60.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 23 06:24:54 mx postfix/smtps/smtpd[2656433]: warning:
unknown[218.3.137.193]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 23 06:24:56 mx postfix/smtpd[2655730]: warning:
unknown[194.169.175.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 23 06:24:58 mx postfix/smtpd[2654836]: warning:
unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
And fail2ban has dropped 2000+ black IPs:
$ sudo iptables -L -n|grep DROP|wc -l
2614
The attack continues at this time.
My questions are:
1. what's the purpose of this kind of attack? Brute force password
cracking, or DDoS?
2. How to strengthen email system security to stop this?
I use postscreen with the spamhaus/spamcop/barracudacentral lookups, as
well as fail2ban. Between them a lot of these are stopped.
And I manually add stuff to my badsmtp.in file, running PF on Solaris.
Cheers,
Gary B-)
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
