* Duane Hill <duih...@gmail.com>: > On Mon, 17 Oct 2011, Simon Brereton wrote: > >This is a new one on me - I've never seen spammers attempt to use to SASL > >Auth to inject spam. Has anyone else seen this? > > > >Oct 17 15:07:16 mail postfix/smtpd[14422]: connect from > >unknown[208.86.147.92] > >Oct 17 15:07:16 mail dovecot: auth(default): > >passdb(newslet...@mydomain.net,208.86.147.92): Attempted login with password > >having illegal chars > >Oct 17 15:07:17 mail dovecot: pop3-login: Disconnected (auth failed, 1 > >attempts): user=<t...@mydomain.net>, method=PLAIN, rip=208.86.147.92, > >lip=83.170.64.84 > >Oct 17 15:07:18 mail postfix/smtpd[14403]: warning: 208.86.147.92: hostname > >default-208-86-147-92.nsihosting.net verification failed: Name or service > >not known > > > > Not new here. I'm using Dovecot auth in Postfix: > > Oct 25 04:03:31 mailhost postfix/smtpd[4032]: connect from > unknown[190.234.148.223]:4139 > Oct 25 04:03:36 mailhost dovecot: auth: > sql(n...@example.com,190.234.148.223): Password mismatch (SHA1 of given > password: ****) > Oct 25 04:03:46 mailhost postfix/smtpd[4032]: disconnect from > unknown[190.234.148.223]:4139 > > I'm using sshguard on FreeBSD to block these.
It's common. Require good passwords. Use fail2ban to block abuse attemtps. Scan logs for unusual local sender behaviour i.e. outgoing spam. p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
