On 17 October 2011 11:38, John Hinton <[email protected]> wrote: > On 10/17/2011 11:13 AM, Simon Brereton wrote: >> >> Hi >> >> This is a new one on me - I've never seen spammers attempt to use to SASL >> Auth to inject spam. Has anyone else seen this? >> >> Oct 17 15:07:16 mail postfix/smtpd[14422]: connect from >> unknown[208.86.147.92] >> Oct 17 15:07:16 mail dovecot: auth(default): >> passdb([email protected],208.86.147.92): Attempted login with password >> having illegal chars >> Oct 17 15:07:17 mail dovecot: pop3-login: Disconnected (auth failed, 1 >> attempts): user=<[email protected]>, method=PLAIN, rip=208.86.147.92, >> lip=83.170.64.84 >> Oct 17 15:07:18 mail postfix/smtpd[14403]: warning: 208.86.147.92: >> hostname default-208-86-147-92.nsihosting.net verification failed: Name or >> service not known >> >> >> Simon >> > I use Fail2Ban to block (automatic firewall) these attempts. You can't be > too restrictive or you'll block real users trying to set up their email > accounts. Fail2Ban can be set to do a Whois lookup on the offending IP > address. If I see it is a US provider, I normally forward the message to the > abuse@ address and more times than not, they take care of the kiddie script > problem. > > Basically, they run dictionary attacks on every service available to the > public.
Hi John - I can see it is a dictionary attack. I get loads of them and they don't worry me - I've just never had one try to authenticate for the purpose of sending spam. All these attempts failed because the users they were trying (newsletter, test, dummy, etc) don't exist. I've already asked over at the Dovecot list what happens if they hit a real user... In the meantime I need to update my dovecot jail. I just wondered if anyone else had seen a brute-force attack on SASL before.. Does your approach for sending to abuse work for Roadrunner? I have 1000 pings a day from a host on RR cable and when I tried to email [email protected], the connection timed out and the mail sits in the queue for 5 days before timing out. Simon
