Username character disallowed by auth_username_chars: 0x13

Alex mysqlstudent at gmail.com
Thu Nov 30 16:35:19 EET 2017


Hi,

On Wed, Nov 29, 2017 at 12:18 AM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>
>> On November 29, 2017 at 5:58 AM Alex <mysqlstudent at gmail.com> wrote:
>>
>>
>> Hi, I'm receiving the following messages in my mail logs that I
>> haven't seen before:
>>
>> Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21):
>> Username character disallowed by auth_username_chars: 0x13 (username:
>> AB?)
>> Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21):
>> Username character disallowed by auth_username_chars: 0x13 (username:
>> AB?)
>>
>> There's thousands of them, from hundreds of different IP addresses. I
>> suspect it's an exploit attempt, but does anyone know which?
>>
>> I've added a fail2ban entry, but I'd also like to make sure my dovecot
>> is not vulnerable. This is on a fc25 system with all updates.
>
> 0x13 is carriage return, so it could just be a mistake in the spam robots code.

It turned out there was a carriage return in the GCOS field of one of
the users in the password file, and for every dovecot login there was
an entry similar to the above in the logs.


More information about the dovecot mailing list