Hi hoping someone can help me a little with this one. I have 2 mail servers, the incoming mail server runs dovecot
and the outgoing mail server runs postfix with sasl. Lately I noticed a lot of spammers are running dictionary attacks
on my incoming server and then using that user/password for sasl on the
outgoing server. The weird thing is I never see on the logs the guessed
username/password. I always see the ones they can’t guess. For example: Looking at the logs I see the following dictionary
attack from 94.242.206.37 Nov 10 03:04:38 pop dovecot: pop3-login: Disconnected:
rip=94.242.206.37, lip=209.213.66.10 Nov 10 03:04:38 pop dovecot: auth(default): client in:
AUTH 1
PLAIN service=POP3
lip=209.213.66.10
rip=94.242.206.37 resp=<hidden> Nov 10 03:04:38 pop dovecot: auth(default):
shadow(aarhus,94.242.206.37): lookup Nov 10 03:04:38 pop dovecot: auth(default): client in:
AUTH 1
PLAIN service=POP3
lip=209.213.66.10
rip=94.242.206.37 resp=<hidden> Nov 10 03:04:38 pop dovecot: auth(default):
shadow(abaft,94.242.206.37): lookup Nov 10 03:04:38 pop dovecot: auth(default):
shadow(abaft,94.242.206.37): unknown user Nov 10 03:04:38 pop dovecot: auth(default): client in:
AUTH 1
PLAIN service=POP3
lip=209.213.66.10
rip=94.242.206.37 resp=<hidden> Nov 10 03:04:38 pop dovecot: auth(default):
shadow(aarhus,94.242.206.37): unknown user Nov 10 03:04:38 pop dovecot: auth(default): client in:
AUTH 1
PLAIN service=POP3
lip=209.213.66.10
rip=94.242.206.37 resp=<hidden> Nov 10 03:04:38 pop dovecot: auth(default):
shadow(aaron,94.242.206.37): lookup Nov 10 03:04:38 pop dovecot: auth(default):
shadow(aaron,94.242.206.37): unknown user Nov 10 03:04:38 pop dovecot: auth(default): client in:
AUTH 1
PLAIN service=POP3
lip=209.213.66.10
rip=94.242.206.37 resp=<hidden> Nov 10 03:04:38 pop dovecot: auth(default):
shadow(ababa,94.242.206.37): lookup …………. And so on.. Then that ip gets banned by fail2ban [root@pop ~]# grep 94.242.206.37 /var/log/fail2ban.log 2010-11-10 03:04:42,416 fail2ban.actions: WARNING [dovecot]
Ban 94.242.206.37 However on my outgoing mail server that ip is already
sending out all sorts of spam with the sasl username of Paramus. This username Paramus never shows up on the dovecot
dictionary attack log, as a matter of fact the user Paramus is nowhere to be
found on the dovecot log at all and I have logs going back months. /var/log/maillog:Nov 10 02:46:16 mrelay3
postfix/smtpd[27776]: 3B64928015: client=unknown[94.242.206.37],
sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 02:47:54 mrelay3
postfix/smtpd[27776]: 247AB28016: client=unknown[94.242.206.37],
sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 02:48:00 mrelay3
postfix/smtpd[27785]: 87DE128016: client=unknown[94.242.206.37],
sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 02:56:00 mrelay3
postfix/smtpd[27792]: 9728628015: client=unknown[94.242.206.37],
sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 03:05:38 mrelay3 postfix/smtpd[27808]:
D529F28015: client=unknown[94.242.206.37], sasl_method=LOGIN,
sasl_username=paramus /var/log/maillog:Nov 10 03:06:00 mrelay3
postfix/smtpd[27808]: DDF7C2801B: client=unknown[94.242.206.37],
sasl_method=LOGIN, sasl_username=Paramus Does anyone have any idea what could of happened here. I
mean if the user/passwd was already harvested by 94.242.206.37 why
would they bother to start another dict. attack. I’m just not sure how they guess the username/password
as its not on any logs that goes back months and I don’t have a dovecot
fail record for that user on the logs. This is the case all the time for me and
it happens with other ips. Any help would be appreciated. paul |
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos