Re: [Dovecot] Spammers attempting SASL Auth
Take a look at:
http://hg.dovecot.org/dovecot-2.0/file/962df5d9413a/src/auth/auth-request.c
on line 536. That's the auth service catching illegal characters and rejecting the attempt. It'll happen with or without a valid user. So, working as it should.
As for spammers trying to brute force valid logins, yep, pretty common. Higher rate of success if they can mail from a known good server and account.
- Simon Brereton <simon.brereton@buongiorno.com> [2011-10-17 11:51:15 -0400]:
On 17 October 2011 11:31, Robert Schetterer <robert@schetterer.org> wrote:
Am 17.10.2011 17:16, schrieb Simon Brereton:
Hi
This is a new one on me - I've never seen spammers attempt to use to SASL Auth to inject spam. None of the users they are trying (newsletter, dummy, test, etc.) exist, but what worries me is the illegal chars error - is this a known vulnerability in dovecot they are trying to exploit? I'm running 1:1.2.15-7 installed from apt-get..
Oct 17 15:07:16 mail postfix/smtpd[14422]: connect from unknown[208.86.147.92] Oct 17 15:07:16 mail dovecot: auth(default): passdb(newsletter@mydomain.net,208.86.147.92): Attempted login with password having illegal chars Oct 17 15:07:17 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<test@mydomain.net>, method=PLAIN, rip=208.86.147.92, lip=83.170.64.84 Oct 17 15:07:18 mail postfix/smtpd[14403]: warning: 208.86.147.92: hostname default-208-86-147-92.nsihosting.net verification failed: Name or service not known
Simon
this maybe a brute force attack,or more easy someone missconfigured his client , you may use fail2ban etc to block it not directly related to dovecot
17 queries in 30 seconds is not a misconfigured client :)
And I'm already using Fail2Ban - but as someone on this list pointed out recently, that doesn't apply if they try X attempts on the same connection. Although, I don't think that was case here - maybe I should update my dovecot jail with that illegal chars line. But, be that as it may - all these attempts failed because the user didn't exist. What if the user exists though? Does this illegal chars make a hole for them to enter through?
Simon
-- Tom Pawlowski OIT-CSS System Administrator office: Hill 147 email: tompru@jla.rutgers.edu phone: (732) 445-2634
On 17 October 2011 12:10, Tom Pawlowski <tompru@jla.rutgers.edu> wrote:
Take a look at:
http://hg.dovecot.org/dovecot-2.0/file/962df5d9413a/src/auth/auth-request.c
on line 536. That's the auth service catching illegal characters and rejecting the attempt. It'll happen with or without a valid user. So, working as it should.
As for spammers trying to brute force valid logins, yep, pretty common. Higher rate of success if they can mail from a known good server and account.
Okay, thanks for that. That's the info/reassurance I was after. In the meantime I've update fail2ban to take care of it. You're right about the higher rate of success, I've just never seen a spammer try it before - usually their resources are better spend just sending the mail. But it's good to know that dovecot will trap and block the illegal Chars :)
Thanks.
Simon
participants (2)
-
Simon Brereton
-
Tom Pawlowski