I'd seen address harvesting before, and SIMS blocks it wonderfully. Today I saw a new one though: a POP3 attack on guessed accounts, using "easy" passwords. A total of 125 attempts in 10 seconds. A piece of the log is below, I've left in quite a bit because it's interesting which accounts and passwords are attempted. Notice that !@#$%^&* are in a nice row on a keyboard ;-)
Why try this, though? Is it a roundabout way of finding an open SMTP-relay (through feature "accept iprn as client for 3 minutes after succesful pop3 session"?). The culprit <http://samspade.org/t/lookat?a=202.103.160.101> seems to be from China. Espionage? It would be nice if SIMS recognized this type of attack as well, and put the ipnr on a TempBanned list... Does putting an ipnr in the manual SIMS blacklist also stop attempted pop3 sessions? [spaces added by me for easy reading; view in wide window] 07:02:47 1 POP {admin} is not open: password(admin) is wrong. Connection from [202.103.160.101:4293] 07:02:47 1 POP {admin} is not open: password() is wrong. Connection from [202.103.160.101:4292] 07:02:47 1 POP {admin} is not open: password(admin) is wrong. Connection from [202.103.160.101:4291] 07:02:47 1 POP {admin} is not open: password(111) is wrong. Connection from [202.103.160.101:4296] 07:02:47 1 POP {admin} is not open: password(1) is wrong. Connection from [202.103.160.101:4295] 07:02:47 1 POP {admin} is not open: password(root) is wrong. Connection from [202.103.160.101:4294] 07:02:47 1 POP {admin} is not open: password(12345) is wrong. Connection from [202.103.160.101:4299] 07:02:47 1 POP {admin} is not open: password(1234) is wrong. Connection from [202.103.160.101:4298] 07:02:47 1 POP {admin} is not open: password(123) is wrong. Connection from [202.103.160.101:4297] 07:02:47 1 POP {admin} is not open: password(!@#$%) is wrong. Connection from [202.103.160.101:4305] 07:02:47 1 POP {admin} is not open: password(asdfgh) is wrong. Connection from [202.103.160.101:4304] 07:02:47 1 POP {admin} is not open: password(asdf) is wrong. Connection from [202.103.160.101:4303] 07:02:47 1 POP {admin} is not open: password(!@#$) is wrong. Connection from [202.103.160.101:4302] 07:02:47 1 POP {admin} is not open: password(654321) is wrong. Connection from [202.103.160.101:4301] 07:02:47 1 POP {admin} is not open: password(123456) is wrong. Connection from [202.103.160.101:4300] 07:02:47 1 POP {admin} is not open: password(passwd) is wrong. Connection from [202.103.160.101:4310] 07:02:47 1 POP {admin} is not open: password(server) is wrong. Connection from [202.103.160.101:4309] 07:02:47 1 POP {admin} is not open: password(!@#$%^&*) is wrong. Connection from [202.103.160.101:4308] 07:02:47 1 POP {admin} is not open: password(!@#$%^&) is wrong. Connection from [202.103.160.101:4307] 07:02:47 1 POP {admin} is not open: password(!@#$%^) is wrong. Connection from [202.103.160.101:4306] 07:02:47 1 POP {root} is not open: password() is wrong. Connection from [202.103.160.101:4315] 07:02:47 1 POP {root} is not open: password(root) is wrong. Connection from [202.103.160.101:4314] 07:02:47 1 POP {admin} is not open: password(admin!@#$) is wrong. Connection from [202.103.160.101:4313] 07:02:47 1 POP {admin} is not open: password(admin123) is wrong. Connection from [202.103.160.101:4312] 07:02:49 1 POP {webmaster} is not open: password(!@#$%^&) is wrong. Connection from [202.103.160.101:4353] 07:02:49 1 POP {webmaster} is not open: password(webmaster123) is wrong. Connection from [202.103.160.101:4359] 07:02:49 1 POP {data} is not open: password(!@#$) is wrong. Connection from [202.103.160.101:4372] 07:02:49 1 POP {data} is not open: password(654321) is wrong. Connection from [202.103.160.101:4371] 07:02:50 1 POP {user} is not open: password(passwd) is wrong. Connection from [202.103.160.101:4403] 07:02:51 1 POP {web} is not open: password(123) is wrong. Connection from [202.103.160.101:4413] 07:02:51 1 POP {web} is not open: password(asdfgh) is wrong. Connection from [202.103.160.101:4420] 07:02:51 1 POP {oracle} is not open: password(oracle) is wrong. Connection from [202.103.160.101:4430] 07:02:51 1 POP {oracle} is not open: password(admin) is wrong. Connection from [202.103.160.101:4432] 07:02:53 1 POP {sybase} is not open: password(654321) is wrong. Connection from [202.103.160.101:4463] 07:02:53 1 POP {sybase} is not open: password(!@#$) is wrong. Connection from [202.103.160.101:4464] 07:02:53 1 POP {test} is not open: password(root) is wrong. Connection from [202.103.160.101:4479] 07:02:53 1 POP {test} is not open: password(admin) is wrong. Connection from [202.103.160.101:4478] 07:02:54 1 POP {master} is not open: password(server) is wrong. Connection from [202.103.160.101:4517] 07:02:54 1 POP {master} is not open: password(password) is wrong. Connection from [202.103.160.101:4519] 07:02:55 1 POP {backup} is not open: password() is wrong. Connection from [202.103.160.101:4523] 07:02:55 1 POP {backup} is not open: password(backup) is wrong. Connection from [202.103.160.101:4522] 07:02:55 1 POP {master} is not open: password(asdf) is wrong. Connection from [202.103.160.101:4511] 07:02:56 1 POP {server} is not open: password(!@#$) is wrong. Connection from [202.103.160.101:4556] 07:02:56 1 POP {server} is not open: password(password) is wrong. Connection from [202.103.160.101:4565] 07:02:56 1 POP {master} is not open: password(master) is wrong. Connection from [202.103.160.101:4499] 07:02:57 1 POP {test} is not open: password(12345) is wrong. Connection from [202.103.160.101:4484] 07:02:57 1 POP {test} is not open: password(123) is wrong. Connection from [202.103.160.101:4482] -- ,-----/----. | O | O | Jan Jaap Spreij | / | P www.demon.cx/pgp/pubkey.html | (__ | E [EMAIL PROTECTED] | \___|__/ | T +31-655305436 '-----\----' ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
