Username character disallowed by auth_username_chars: 0x13
Hi, I'm receiving the following messages in my mail logs that I haven't seen before:
Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21): Username character disallowed by auth_username_chars: 0x13 (username: AB?) Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21): Username character disallowed by auth_username_chars: 0x13 (username: AB?)
There's thousands of them, from hundreds of different IP addresses. I suspect it's an exploit attempt, but does anyone know which?
I've added a fail2ban entry, but I'd also like to make sure my dovecot is not vulnerable. This is on a fc25 system with all updates.
On November 29, 2017 at 5:58 AM Alex <mysqlstudent@gmail.com> wrote:
Hi, I'm receiving the following messages in my mail logs that I haven't seen before:
Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21): Username character disallowed by auth_username_chars: 0x13 (username: AB?) Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21): Username character disallowed by auth_username_chars: 0x13 (username: AB?)
There's thousands of them, from hundreds of different IP addresses. I suspect it's an exploit attempt, but does anyone know which?
I've added a fail2ban entry, but I'd also like to make sure my dovecot is not vulnerable. This is on a fc25 system with all updates.
0x13 is carriage return, so it could just be a mistake in the spam robots code.
Aki
Hi,
On Wed, Nov 29, 2017 at 12:18 AM, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
On November 29, 2017 at 5:58 AM Alex <mysqlstudent@gmail.com> wrote:
Hi, I'm receiving the following messages in my mail logs that I haven't seen before:
Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21): Username character disallowed by auth_username_chars: 0x13 (username: AB?) Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21): Username character disallowed by auth_username_chars: 0x13 (username: AB?)
There's thousands of them, from hundreds of different IP addresses. I suspect it's an exploit attempt, but does anyone know which?
I've added a fail2ban entry, but I'd also like to make sure my dovecot is not vulnerable. This is on a fc25 system with all updates.
0x13 is carriage return, so it could just be a mistake in the spam robots code.
It turned out there was a carriage return in the GCOS field of one of the users in the password file, and for every dovecot login there was an entry similar to the above in the logs.
participants (2)
-
Aki Tuomi
-
Alex