I'm seeing strings of failed POP3 login attempts with obvious bogus
usernames coming from different IP addresses. Today's originated from
216.31.146.19 (which resolves to neovisionlabs.com). This looks like a
botnet attack. I got a similar probe a couple days ago. Is anyone else
seeing these?
The attack involves trying about 20 different names, about 3-4 seconds
apart. Here's a few sample log lines:
dovecot: Aug 15 04:15:45 Error: auth-worker(default):
pam(mike,216.31.146.19): pam_authenticate() failed: User not known to the
underlying authentication module
dovecot: Aug 15 04:15:49 Error: auth-worker(default):
pam(alan,216.31.146.19): pam_authenticate() failed: User not known to the
underlying authentication module
dovecot: Aug 15 04:15:53 Error: auth-worker(default):
pam(info,216.31.146.19): pam_authenticate() failed: User not known to the
underlying authentication module
dovecot: Aug 15 04:15:57 Error: auth-worker(default):
pam(shop,216.31.146.19): pam_authenticate() failed: User not known to the
underlying authentication module
Timo, can you add the port used in the attempt to the error log entry? (It
does show up in the info log entry, but that means I need to correlate
lines in the two log files.)
- [Dovecot] POP3 dictionary attacks Kenneth Porter
-
