I'm seeing strings of failed POP3 login attempts with obvious bogus usernames coming from different IP addresses. Today's originated from 216.31.146.19 (which resolves to neovisionlabs.com). This looks like a botnet attack. I got a similar probe a couple days ago. Is anyone else seeing these?
The attack involves trying about 20 different names, about 3-4 seconds apart. Here's a few sample log lines:
dovecot: Aug 15 04:15:45 Error: auth-worker(default): pam(mike,216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module dovecot: Aug 15 04:15:49 Error: auth-worker(default): pam(alan,216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module dovecot: Aug 15 04:15:53 Error: auth-worker(default): pam(info,216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module dovecot: Aug 15 04:15:57 Error: auth-worker(default): pam(shop,216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module
Timo, can you add the port used in the attempt to the error log entry? (It does show up in the info log entry, but that means I need to correlate lines in the two log files.)