<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
On 11/10/2010 6:10 PM, PA wrote:
<blockquote cite="mid:02e401cb812c$79223460$6b669d20$@net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi hoping someone can help me a little with
this one.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have 2 mail servers, the incoming mail
server runs dovecot
and the outgoing mail server runs postfix with sasl.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Lately I noticed a lot of spammers are
running dictionary attacks
on my incoming server and then using that user/password for
sasl on the
outgoing server.<o:p></o:p></p>
<p class="MsoNormal">The weird thing is I never see on the logs
the guessed
username/password. I always see the ones they can’t guess.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">For example:<o:p></o:p></p>
<p class="MsoNormal">Looking at the logs I see the following
dictionary
attack from 94.242.206.37<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Nov 10 03:04:38 pop dovecot: pop3-login:
Disconnected:
rip=94.242.206.37, lip=209.213.66.10<o:p></o:p></p>
<p class="MsoNormal">Nov 10 03:04:38 pop dovecot: auth(default):
client in:
AUTH 1
PLAIN service=POP3
lip=209.213.66.10
rip=94.242.206.37 resp=<hidden><o:p></o:p></p>
<p class="MsoNormal">Nov 10 03:04:38 pop dovecot: auth(default):
shadow(aarhus,94.242.206.37): lookup<o:p></o:p></p>
<p class="MsoNormal">Nov 10 03:04:38 pop dovecot: auth(default):
client in:
AUTH 1
PLAIN service=POP3
lip=209.213.66.10
rip=94.242.206.37 resp=<hidden><o:p></o:p></p>
<p class="MsoNormal">Nov 10 03:04:38 pop dovecot: auth(default):
shadow(abaft,94.242.206.37): lookup<o:p></o:p></p>
<p class="MsoNormal">Nov 10 03:04:38 pop dovecot: auth(default):
shadow(abaft,94.242.206.37): unknown user<o:p></o:p></p>
<p class="MsoNormal">Nov 10 03:04:38 pop dovecot: auth(default):
client in:
AUTH 1
PLAIN service=POP3
lip=209.213.66.10
rip=94.242.206.37 resp=<hidden><o:p></o:p></p>
<p class="MsoNormal">Nov 10 03:04:38 pop dovecot: auth(default):
shadow(aarhus,94.242.206.37): unknown user<o:p></o:p></p>
<p class="MsoNormal">Nov 10 03:04:38 pop dovecot: auth(default):
client in:
AUTH 1
PLAIN service=POP3
lip=209.213.66.10
rip=94.242.206.37 resp=<hidden><o:p></o:p></p>
<p class="MsoNormal">Nov 10 03:04:38 pop dovecot: auth(default):
shadow(aaron,94.242.206.37): lookup<o:p></o:p></p>
<p class="MsoNormal">Nov 10 03:04:38 pop dovecot: auth(default):
shadow(aaron,94.242.206.37): unknown user<o:p></o:p></p>
<p class="MsoNormal">Nov 10 03:04:38 pop dovecot: auth(default):
client in:
AUTH 1
PLAIN service=POP3
lip=209.213.66.10
rip=94.242.206.37 resp=<hidden><o:p></o:p></p>
<p class="MsoNormal">Nov 10 03:04:38 pop dovecot: auth(default):
shadow(ababa,94.242.206.37): lookup<o:p></o:p></p>
<p class="MsoNormal">…………. And so on..<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Then that ip gets banned by fail2ban<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[root@pop ~]# grep 94.242.206.37
/var/log/fail2ban.log<o:p></o:p></p>
<p class="MsoNormal">2010-11-10 03:04:42,416 fail2ban.actions:
WARNING [dovecot]
Ban 94.242.206.37<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">However on my outgoing mail server that ip
is already
sending out all sorts of spam with the sasl username of
Paramus. <o:p></o:p></p>
<p class="MsoNormal">This username Paramus never shows up on the
dovecot
dictionary attack log, as a matter of fact the user Paramus is
nowhere to be
found on the dovecot log at all and I have logs going back
months. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">/var/log/maillog:Nov 10 02:46:16 mrelay3
postfix/smtpd[27776]: 3B64928015:
client=unknown[94.242.206.37],
sasl_method=LOGIN, sasl_username=paramus<o:p></o:p></p>
<p class="MsoNormal">/var/log/maillog:Nov 10 02:47:54 mrelay3
postfix/smtpd[27776]: 247AB28016:
client=unknown[94.242.206.37],
sasl_method=LOGIN, sasl_username=paramus<o:p></o:p></p>
<p class="MsoNormal">/var/log/maillog:Nov 10 02:48:00 mrelay3
postfix/smtpd[27785]: 87DE128016:
client=unknown[94.242.206.37],
sasl_method=LOGIN, sasl_username=paramus<o:p></o:p></p>
<p class="MsoNormal">/var/log/maillog:Nov 10 02:56:00 mrelay3
postfix/smtpd[27792]: 9728628015:
client=unknown[94.242.206.37],
sasl_method=LOGIN, sasl_username=paramus<o:p></o:p></p>
<p class="MsoNormal">/var/log/maillog:Nov 10 03:05:38 mrelay3
postfix/smtpd[27808]:
D529F28015: client=unknown[94.242.206.37], sasl_method=LOGIN,
sasl_username=paramus<o:p></o:p></p>
<p class="MsoNormal">/var/log/maillog:Nov 10 03:06:00 mrelay3
postfix/smtpd[27808]: DDF7C2801B:
client=unknown[94.242.206.37],
sasl_method=LOGIN, sasl_username=Paramus<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Does anyone have any idea what could of
happened here. I
mean if the user/passwd was already harvested by
94.242.206.37 why
would they bother to start another dict. attack. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m just not sure how they guess the
username/password
as its not on any logs that goes back months and I don’t have
a dovecot
fail record for that user on the logs. This is the case all
the time for me and
it happens with other ips.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Any help would be appreciated.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">paul<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p><br>
</p>
</div>
</blockquote>
Yeah... isn't this fun? I'm using Fail2Ban for the same reasons.<br>
<br>
Off the top of my head, perhaps the user paramus, assuming they
actually use your server for email, may have a trojan on their comp
recording keystrokes and sending them to the bad boy. Many of the
latest virii are very good at this, getting FTP logins as well to
help spread their malwares onto web pages.<br>
<br>
I believe most of these are totally automated processes, with just a
bit of blackhat input. As they had your server address anyway, I'd
bet it just made it onto the bot list to do dictionary attacks as
well. Sort of dumb when you think about it, as the dictionary attack
would get them firewalled, killing off what is successfully running.
But don't tell the spammer that. ;)<br>
<br>
Also, it doesn't hurt to report these addresses to the network
admin. I have been successful a number of times in getting stuff
shut down. This seems to be a legit provider. They might actually
respond. If we all do that, our numbers can make it harder on the
spammers.<br>
<pre class="moz-signature" cols="72">--
John Hinton
</pre>
</body>
</html>