Hi, I'm receiving the following messages in my mail logs that I haven't seen before: Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21): Username character disallowed by auth_username_chars: 0x13 (username: AB?) Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21): Username character disallowed by auth_username_chars: 0x13 (username: AB?) There's thousands of them, from hundreds of different IP addresses. I suspect it's an exploit attempt, but does anyone know which? I've added a fail2ban entry, but I'd also like to make sure my dovecot is not vulnerable. This is on a fc25 system with all updates.
Aki Tuomi
2017-Nov-29 05:18 UTC
Username character disallowed by auth_username_chars: 0x13
> On November 29, 2017 at 5:58 AM Alex <mysqlstudent at gmail.com> wrote: > > > Hi, I'm receiving the following messages in my mail logs that I > haven't seen before: > > Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21): > Username character disallowed by auth_username_chars: 0x13 (username: > AB?) > Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21): > Username character disallowed by auth_username_chars: 0x13 (username: > AB?) > > There's thousands of them, from hundreds of different IP addresses. I > suspect it's an exploit attempt, but does anyone know which? > > I've added a fail2ban entry, but I'd also like to make sure my dovecot > is not vulnerable. This is on a fc25 system with all updates.0x13 is carriage return, so it could just be a mistake in the spam robots code. Aki
Hi, On Wed, Nov 29, 2017 at 12:18 AM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:> >> On November 29, 2017 at 5:58 AM Alex <mysqlstudent at gmail.com> wrote: >> >> >> Hi, I'm receiving the following messages in my mail logs that I >> haven't seen before: >> >> Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21): >> Username character disallowed by auth_username_chars: 0x13 (username: >> AB?) >> Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21): >> Username character disallowed by auth_username_chars: 0x13 (username: >> AB?) >> >> There's thousands of them, from hundreds of different IP addresses. I >> suspect it's an exploit attempt, but does anyone know which? >> >> I've added a fail2ban entry, but I'd also like to make sure my dovecot >> is not vulnerable. This is on a fc25 system with all updates. > > 0x13 is carriage return, so it could just be a mistake in the spam robots code.It turned out there was a carriage return in the GCOS field of one of the users in the password file, and for every dovecot login there was an entry similar to the above in the logs.