Am 17.10.2011 17:50, schrieb Simon Brereton: > On 17 October 2011 11:38, John Hinton <webmas...@ew3d.com> wrote: >> On 10/17/2011 11:13 AM, Simon Brereton wrote: >>> >>> Hi >>> >>> This is a new one on me - I've never seen spammers attempt to use to SASL >>> Auth to inject spam. Has anyone else seen this? >>> >>> Oct 17 15:07:16 mail postfix/smtpd[14422]: connect from >>> unknown[208.86.147.92] >>> Oct 17 15:07:16 mail dovecot: auth(default): >>> passdb(newslet...@mydomain.net,208.86.147.92): Attempted login with password >>> having illegal chars >>> Oct 17 15:07:17 mail dovecot: pop3-login: Disconnected (auth failed, 1 >>> attempts): user=<t...@mydomain.net>, method=PLAIN, rip=208.86.147.92, >>> lip=83.170.64.84 >>> Oct 17 15:07:18 mail postfix/smtpd[14403]: warning: 208.86.147.92: >>> hostname default-208-86-147-92.nsihosting.net verification failed: Name or >>> service not known >>> >>> >>> Simon >>> >> I use Fail2Ban to block (automatic firewall) these attempts. You can't be >> too restrictive or you'll block real users trying to set up their email >> accounts. Fail2Ban can be set to do a Whois lookup on the offending IP >> address. If I see it is a US provider, I normally forward the message to the >> abuse@ address and more times than not, they take care of the kiddie script >> problem. >> >> Basically, they run dictionary attacks on every service available to the >> public. > > Hi John - I can see it is a dictionary attack. I get loads of them > and they don't worry me - I've just never had one try to authenticate > for the purpose of sending spam. All these attempts failed because > the users they were trying (newsletter, test, dummy, etc) don't exist. > I've already asked over at the Dovecot list what happens if they hit > a real user... In the meantime I need to update my dovecot jail. > > I just wondered if anyone else had seen a brute-force attack on SASL before.. > > Does your approach for sending to abuse work for Roadrunner? I have > 1000 pings a day from a host on RR cable and when I tried to email > abb...@rr.com, the connection timed out and the mail sits in the queue > for 5 days before timing out. > > Simon > dont double post lists, this is a smtp attack, not imap/pop3 use i.e fail2ban postfix rules for blocking
what happens sometimes/someothercases if not brute force is, somebody missconfigured his client, and has stuff like try out sending mails of i.e kind an outgoing folder in short time terms and the computer is left alone alone with this ( mostly over night ) most outlook people... -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
