[Dovecot] POP3 dictionary attacks

Kenneth Porter shiva at sewingwitch.com
Sat Aug 16 00:29:06 EEST 2008


I'm seeing strings of failed POP3 login attempts with obvious bogus 
usernames coming from different IP addresses. Today's originated from 
216.31.146.19 (which resolves to neovisionlabs.com). This looks like a 
botnet attack. I got a similar probe a couple days ago. Is anyone else 
seeing these?

The attack involves trying about 20 different names, about 3-4 seconds 
apart. Here's a few sample log lines:

dovecot: Aug 15 04:15:45 Error: auth-worker(default): 
pam(mike,216.31.146.19): pam_authenticate() failed: User not known to the 
underlying authentication module
dovecot: Aug 15 04:15:49 Error: auth-worker(default): 
pam(alan,216.31.146.19): pam_authenticate() failed: User not known to the 
underlying authentication module
dovecot: Aug 15 04:15:53 Error: auth-worker(default): 
pam(info,216.31.146.19): pam_authenticate() failed: User not known to the 
underlying authentication module
dovecot: Aug 15 04:15:57 Error: auth-worker(default): 
pam(shop,216.31.146.19): pam_authenticate() failed: User not known to the 
underlying authentication module

Timo, can you add the port used in the attempt to the error log entry? (It 
does show up in the info log entry, but that means I need to correlate 
lines in the two log files.)


More information about the dovecot mailing list