[Dovecot] POP3 dictionary attacks

Dean Brooks dean at iglou.com
Sat Aug 16 03:22:42 EEST 2008


On Fri, Aug 15, 2008 at 06:43:30PM -0300, Eduardo M KALINOWSKI wrote:
> Charles Marcus wrote:
> > Dictionary attacks are a fact of life these days.
> >
> > Just install some kind of blocking on your firewall (fail2ban is a good
> > one), and let it take care of the worst of it..
> 
> I wonder what  they want by cracking a POP3 server. Read the user's
> mails? It's true POP3 passwords are almost always equal to SMTP ones
> (which is useful for spamming), but then why not try to crack the SMTP
> server directly?

One reason is so that they can get SMTP AUTH information and then sell
the username/password pairs to spammers.

Open relays are much more rare nowadays, so having a legitimate
pre-existing account that can be used for outbound spam is worth much
more than opening a new hotmail or gmail account.  Especially through
smaller ISPs that may not have adequate outbound mail rate-limits in
place.

A single hijacked mail account through a small ISP without rate-limits
can be used to send an incredible amount of spam before it's caught.

--
Dean Brooks
dean at iglou.com


More information about the dovecot mailing list