On 11/10/2010 6:10 PM, PA wrote:>
> Hi hoping someone can help me a little with this one.
>
> I have 2 mail servers, the incoming mail server runs dovecot and the
> outgoing mail server runs postfix with sasl.
>
> Lately I noticed a lot of spammers are running dictionary attacks on
> my incoming server and then using that user/password for sasl on the
> outgoing server.
>
> The weird thing is I never see on the logs the guessed
> username/password. I always see the ones they can't guess.
>
> For example:
>
> Looking at the logs I see the following dictionary attack from
> 94.242.206.37
>
> Nov 10 03:04:38 pop dovecot: pop3-login: Disconnected:
> rip=94.242.206.37, lip=209.213.66.10
>
> Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH
> 1 PLAIN service=POP3 lip=209.213.66.10
> rip=94.242.206.37 resp=<hidden>
>
> Nov 10 03:04:38 pop dovecot: auth(default):
> shadow(aarhus,94.242.206.37): lookup
>
> Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH
> 1 PLAIN service=POP3 lip=209.213.66.10
> rip=94.242.206.37 resp=<hidden>
>
> Nov 10 03:04:38 pop dovecot: auth(default):
> shadow(abaft,94.242.206.37): lookup
>
> Nov 10 03:04:38 pop dovecot: auth(default):
> shadow(abaft,94.242.206.37): unknown user
>
> Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH
> 1 PLAIN service=POP3 lip=209.213.66.10
> rip=94.242.206.37 resp=<hidden>
>
> Nov 10 03:04:38 pop dovecot: auth(default):
> shadow(aarhus,94.242.206.37): unknown user
>
> Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH
> 1 PLAIN service=POP3 lip=209.213.66.10
> rip=94.242.206.37 resp=<hidden>
>
> Nov 10 03:04:38 pop dovecot: auth(default):
> shadow(aaron,94.242.206.37): lookup
>
> Nov 10 03:04:38 pop dovecot: auth(default):
> shadow(aaron,94.242.206.37): unknown user
>
> Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH
> 1 PLAIN service=POP3 lip=209.213.66.10
> rip=94.242.206.37 resp=<hidden>
>
> Nov 10 03:04:38 pop dovecot: auth(default):
> shadow(ababa,94.242.206.37): lookup
>
> ............. And so on..
>
> Then that ip gets banned by fail2ban
>
> [root at pop ~]# grep 94.242.206.37 /var/log/fail2ban.log
>
> 2010-11-10 03:04:42,416 fail2ban.actions: WARNING [dovecot] Ban
> 94.242.206.37
>
> However on my outgoing mail server that ip is already sending out all
> sorts of spam with the sasl username of Paramus.
>
> This username Paramus never shows up on the dovecot dictionary attack
> log, as a matter of fact the user Paramus is nowhere to be found on
> the dovecot log at all and I have logs going back months.
>
> /var/log/maillog:Nov 10 02:46:16 mrelay3 postfix/smtpd[27776]:
> 3B64928015: client=unknown[94.242.206.37], sasl_method=LOGIN,
> sasl_username=paramus
>
> /var/log/maillog:Nov 10 02:47:54 mrelay3 postfix/smtpd[27776]:
> 247AB28016: client=unknown[94.242.206.37], sasl_method=LOGIN,
> sasl_username=paramus
>
> /var/log/maillog:Nov 10 02:48:00 mrelay3 postfix/smtpd[27785]:
> 87DE128016: client=unknown[94.242.206.37], sasl_method=LOGIN,
> sasl_username=paramus
>
> /var/log/maillog:Nov 10 02:56:00 mrelay3 postfix/smtpd[27792]:
> 9728628015: client=unknown[94.242.206.37], sasl_method=LOGIN,
> sasl_username=paramus
>
> /var/log/maillog:Nov 10 03:05:38 mrelay3 postfix/smtpd[27808]:
> D529F28015: client=unknown[94.242.206.37], sasl_method=LOGIN,
> sasl_username=paramus
>
> /var/log/maillog:Nov 10 03:06:00 mrelay3 postfix/smtpd[27808]:
> DDF7C2801B: client=unknown[94.242.206.37], sasl_method=LOGIN,
> sasl_username=Paramus
>
> Does anyone have any idea what could of happened here. I mean if the
> user/passwd was already harvested by 94.242.206.37 why would they
> bother to start another dict. attack.
>
> I'm just not sure how they guess the username/password as its not on
> any logs that goes back months and I don't have a dovecot fail record
> for that user on the logs. This is the case all the time for me and it
> happens with other ips.
>
> Any help would be appreciated.
>
> paul
>
>
Yeah... isn't this fun? I'm using Fail2Ban for the same reasons.
Off the top of my head, perhaps the user paramus, assuming they actually
use your server for email, may have a trojan on their comp recording
keystrokes and sending them to the bad boy. Many of the latest virii are
very good at this, getting FTP logins as well to help spread their
malwares onto web pages.
I believe most of these are totally automated processes, with just a bit
of blackhat input. As they had your server address anyway, I'd bet it
just made it onto the bot list to do dictionary attacks as well. Sort of
dumb when you think about it, as the dictionary attack would get them
firewalled, killing off what is successfully running. But don't tell the
spammer that. ;)
Also, it doesn't hurt to report these addresses to the network admin. I
have been successful a number of times in getting stuff shut down. This
seems to be a legit provider. They might actually respond. If we all do
that, our numbers can make it harder on the spammers.
--
John Hinton
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20101110/d596abf5/attachment-0001.html>