[Dovecot] dovecot dictionary attacks

Paul Amaral pamaral at meganet.net
Thu Nov 11 01:02:29 EET 2010 

Hi, I been using dovecot for awhile and its been solid, however I been
having some issues with dictionary attacks.

I installed fail2ban and for the most part is working fine. However today I
got another spammer relaying through my server. 

 

Looking at the logs  I see the following dictonary attack from 94.242.206.37

 

Nov 10 03:04:38 pop dovecot: pop3-login: Disconnected: rip=94.242.206.37,
lip=209.213.66.10

Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH     1
PLAIN   service=POP3    lip=209.213.66.10       rip=94.242.206.37
resp=<hidden>

Nov 10 03:04:38 pop dovecot: auth(default): shadow(aarhus,94.242.206.37):
lookup

Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH     1
PLAIN   service=POP3    lip=209.213.66.10       rip=94.242.206.37
resp=<hidden>

Nov 10 03:04:38 pop dovecot: auth(default): shadow(abaft,94.242.206.37):
lookup

Nov 10 03:04:38 pop dovecot: auth(default): shadow(abaft,94.242.206.37):
unknown user

Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH     1
PLAIN   service=POP3    lip=209.213.66.10       rip=94.242.206.37
resp=<hidden>

Nov 10 03:04:38 pop dovecot: auth(default): shadow(aarhus,94.242.206.37):
unknown user

Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH     1
PLAIN   service=POP3    lip=209.213.66.10       rip=94.242.206.37
resp=<hidden>

Nov 10 03:04:38 pop dovecot: auth(default): shadow(aaron,94.242.206.37):
lookup

Nov 10 03:04:38 pop dovecot: auth(default): shadow(aaron,94.242.206.37):
unknown user

Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH     1
PLAIN   service=POP3    lip=209.213.66.10       rip=94.242.206.37
resp=<hidden>

Nov 10 03:04:38 pop dovecot: auth(default): shadow(ababa,94.242.206.37):
lookup

..... And so on..

 

Then that ip gets banned by fail2ban

 

[root at pop ~]# grep 94.242.206.37 /var/log/fail2ban.log

2010-11-10 03:04:42,416 fail2ban.actions: WARNING [dovecot] Ban
94.242.206.37

 

 

However on my smtp mail server that ip is already sending out all sorts of
spam with the sasl username of Paramus. This username Paramus never shows up
on the dovevot dictionary attack, as a matter of fact the user Paramus is
nowhere to be found on the dovecot log at all and I have logs going back
months. 

 

Does anyone have any idea what could of happened here. I mean if the
user/passwd was already harvested by  94.242.206.37  why would they bother
to start another dict. attack. 

 

I'm just not sure how they guess the username/password as its not on any
logs that goes back months and I don't have a dovecot record for that user. 

 

/var/log/maillog:Nov 10 02:46:16 mrelay3 postfix/smtpd[27776]: 3B64928015:
client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus

/var/log/maillog:Nov 10 02:47:54 mrelay3 postfix/smtpd[27776]: 247AB28016:
client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus

/var/log/maillog:Nov 10 02:48:00 mrelay3 postfix/smtpd[27785]: 87DE128016:
client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus

/var/log/maillog:Nov 10 02:56:00 mrelay3 postfix/smtpd[27792]: 9728628015:
client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus

/var/log/maillog:Nov 10 03:05:38 mrelay3 postfix/smtpd[27808]: D529F28015:
client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus

/var/log/maillog:Nov 10 03:06:00 mrelay3 postfix/smtpd[27808]: DDF7C2801B:
client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=Paramus

 

Any help would be appreciated.

 

paul

More information about the dovecot mailing list