[Dovecot] POP3 dictionary attacks

Bruce Bodger bbodger at bodcon.com
Sat Aug 16 18:19:44 EEST 2008


On Aug 16, 2008, at 11:14 AM, Mark Sapiro wrote:

>>> Exactly. These days, IP spoofing is most useful to hide the
>>> identity of
>>> the perpetrator of a DoS attack. It certainly is not applicable to a
>>> dictionary attack on POP3 or other logins since with a spoofed  
>>> IP, the
>>> perpetrator will never see the response to determine if the login
>>> attempt was successful.
>>
>> I stand corrected... sorry.  I was thinking of an http cross-site
>> attack which also seems popular now-a-days.
>>
>> So if I read you right then you would consider the IP address shown
>> in the original thread post..
>>
>>> dovecot: Aug 15 04:15:45 Error: auth-worker(default): pam(mike,
>>> 216.31.146.19): pam_authenticate() failed: User not known to the
>>> underlying authentication module
>>> dovecot: Aug 15 04:15:49 Error: auth-worker(default): pam(alan,
>>> 216.31.146.19): pam_authenticate() failed: User not known to the
>>> underlying authentication module
>>> dovecot: Aug 15 04:15:53 Error: auth-worker(default): pam(info,
>>> 216.31.146.19): pam_authenticate() failed: User not known to the
>>> underlying authentication module
>>> dovecot: Aug 15 04:15:57 Error: auth-worker(default): pam(shop,
>>> 216.31.146.19): pam_authenticate() failed: User not known to the
>>> underlying authentication module
>>
>>
>> ..216.31.146.19, to be a party to the attack and therefore a
>> candidate for locking out?
>
>
> Yes. I do it (with my own script, not fail2ban, but it works the same
> way).

Thank you for the clarification.

B. Bodger




More information about the dovecot mailing list