SASL LOGIN authentication failed

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

SASL LOGIN authentication failed

@lbutlr
In these log lines, what is "UGFzc3dvcmQ6"?

May 12 07:52:07 mail submit-tls/smtpd[32670]: warning: vps1590651.vs.webtropia-customer.com[62.141.41.104]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 12 17:05:14 mail submit-tls/smtpd[87898]: warning: ma350.mars.fastwebserver.de[193.111.198.88]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 12 18:21:36 mail submit-tls/smtpd[65165]: warning: vps1590646.vs.webtropia-customer.com[62.141.41.114]: SASL LOGIN authentication failed: UGFzc3dvcmQ6


Reply | Threaded
Open this post in threaded view
|

Re: SASL LOGIN authentication failed

Viktor Dukhovni


> On May 13, 2018, at 12:42 AM, @lbutlr <[hidden email]> wrote:
>
> In these log lines, what is "UGFzc3dvcmQ6"?
>
> May 12 07:52:07 mail submit-tls/smtpd[32670]: warning: vps1590651.vs.webtropia-customer.com[62.141.41.104]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

$ printf "%s\n" $(printf "%s\n" UGFzc3dvcmQ6 | openssl base64 -d)
Password:

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: SASL LOGIN authentication failed

@lbutlr
On 2018-05-12 (23:01 MDT), Viktor Dukhovni <[hidden email]> wrote:
>
>> On May 13, 2018, at 12:42 AM, @lbutlr <[hidden email]> wrote:
>>
>> In these log lines, what is "UGFzc3dvcmQ6"?
>>
>> May 12 07:52:07 mail submit-tls/smtpd[32670]: warning: vps1590651.vs.webtropia-customer.com[62.141.41.104]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>
> $ printf "%s\n" $(printf "%s\n" UGFzc3dvcmQ6 | openssl base64 -d)
> Password:

So, is that what the morons tried to login with (I have a few others that using your snippet decode to "Username:" (VXNlcm5hbWU6), they are trying to login with a base64 encode of "Usernae:" or "Password:"?

--
You too will get old. And when you do you'll fantasize that when you
were young prices where reasonable, politicians were noble, and children
respected their elders. Respect your elders.

Reply | Threaded
Open this post in threaded view
|

Re: SASL LOGIN authentication failed

Durga Prasad Malyala
Wonderful words to reflect on.. on a Sunday.

You too will get old. And when you do you'll fantasize that when you
were young prices where reasonable, politicians were noble, and children
respected their elders. Respect your elders.

Rgds/DP
9849111010

Sent from my iPhone. Pls excuse brevity and typos if any.

> On 13-May-2018, at 10:57 AM, @lbutlr <[hidden email]> wrote:
>
> You too will get old. And when you do you'll fantasize that when you
> were young prices where reasonable, politicians were noble, and children
> respected their elders. Respect your elders.
Reply | Threaded
Open this post in threaded view
|

Re: SASL LOGIN authentication failed

chongma
In reply to this post by @lbutlr
i get loads of these from different ip addresses all over the world with
the exact same password.  no idea what causes it.  i always wondered
myself. e.g. cat /var/log/maillog | grep UGFzc3dvcmQ6

...

May 13 08:43:43 ns1 postfix/smtpd[8800]: warning: unknown[46.148.27.71]:
SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 13 08:44:28 ns1 postfix/smtpd[6191]: warning:
unknown[185.234.217.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 13 08:44:52 ns1 postfix/smtpd[11760]: warning:
unknown[181.214.206.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 13 08:45:17 ns1 postfix/smtpd[6191]: warning:
unknown[185.234.218.130]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 13 08:45:23 ns1 postfix/smtpd[11760]: warning: unknown[5.101.40.66]:
SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 13 08:45:30 ns1 postfix/smtpd[11766]: warning:
unknown[181.214.206.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 13 08:45:32 ns1 postfix/smtpd[6191]: warning:
unknown[181.214.206.101]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 13 08:46:05 ns1 postfix/smtpd[11760]: warning:
unknown[201.162.182.66]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 13 08:46:09 ns1 postfix/smtpd[11766]: warning:
unknown[181.214.206.101]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 13 08:47:33 ns1 postfix/smtpd[11766]: warning: unknown[5.101.40.66]:
SASL LOGIN authentication failed: UGFzc3dvcmQ6


On 13/05/18 06:42, @lbutlr wrote:
> In these log lines, what is "UGFzc3dvcmQ6"?
>
> May 12 07:52:07 mail submit-tls/smtpd[32670]: warning: vps1590651.vs.webtropia-customer.com[62.141.41.104]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 12 17:05:14 mail submit-tls/smtpd[87898]: warning: ma350.mars.fastwebserver.de[193.111.198.88]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 12 18:21:36 mail submit-tls/smtpd[65165]: warning: vps1590646.vs.webtropia-customer.com[62.141.41.114]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>
>

Reply | Threaded
Open this post in threaded view
|

Re: SASL LOGIN authentication failed

Erwan David
Le 05/13/18 à 09:49, Matthew Broadhead a écrit :

> i get loads of these from different ip addresses all over the world
> with the exact same password.  no idea what causes it.  i always
> wondered myself. e.g. cat /var/log/maillog | grep UGFzc3dvcmQ6
>
> ...
>
> May 13 08:43:43 ns1 postfix/smtpd[8800]: warning:
> unknown[46.148.27.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 13 08:44:28 ns1 postfix/smtpd[6191]: warning:
> unknown[185.234.217.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 13 08:44:52 ns1 postfix/smtpd[11760]: warning:
> unknown[181.214.206.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 13 08:45:17 ns1 postfix/smtpd[6191]: warning:
> unknown[185.234.218.130]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 13 08:45:23 ns1 postfix/smtpd[11760]: warning:
> unknown[5.101.40.66]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 13 08:45:30 ns1 postfix/smtpd[11766]: warning:
> unknown[181.214.206.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 13 08:45:32 ns1 postfix/smtpd[6191]: warning:
> unknown[181.214.206.101]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 13 08:46:05 ns1 postfix/smtpd[11760]: warning:
> unknown[201.162.182.66]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 13 08:46:09 ns1 postfix/smtpd[11766]: warning:
> unknown[181.214.206.101]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 13 08:47:33 ns1 postfix/smtpd[11766]: warning:
> unknown[5.101.40.66]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>

It is the base 64 encoding of Password:

Reply | Threaded
Open this post in threaded view
|

Re: SASL LOGIN authentication failed

chongma
On 13/05/18 12:09, Erwan David wrote:

> Le 05/13/18 à 09:49, Matthew Broadhead a écrit :
>> i get loads of these from different ip addresses all over the world
>> with the exact same password.  no idea what causes it.  i always
>> wondered myself. e.g. cat /var/log/maillog | grep UGFzc3dvcmQ6
>>
>> ...
>>
>> May 13 08:43:43 ns1 postfix/smtpd[8800]: warning:
>> unknown[46.148.27.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>> May 13 08:44:28 ns1 postfix/smtpd[6191]: warning:
>> unknown[185.234.217.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>> May 13 08:44:52 ns1 postfix/smtpd[11760]: warning:
>> unknown[181.214.206.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>> May 13 08:45:17 ns1 postfix/smtpd[6191]: warning:
>> unknown[185.234.218.130]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>> May 13 08:45:23 ns1 postfix/smtpd[11760]: warning:
>> unknown[5.101.40.66]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>> May 13 08:45:30 ns1 postfix/smtpd[11766]: warning:
>> unknown[181.214.206.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>> May 13 08:45:32 ns1 postfix/smtpd[6191]: warning:
>> unknown[181.214.206.101]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>> May 13 08:46:05 ns1 postfix/smtpd[11760]: warning:
>> unknown[201.162.182.66]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>> May 13 08:46:09 ns1 postfix/smtpd[11766]: warning:
>> unknown[181.214.206.101]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>> May 13 08:47:33 ns1 postfix/smtpd[11766]: warning:
>> unknown[5.101.40.66]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>>
> It is the base 64 encoding of Password:
>
yes i understood that but why is it continuously sent from random ip
addresses all over the world where none of my accounts would be signing
in from?  if i do an ip trace they come from loads of different
countries.  the hits must be coming from compromised machines?
Reply | Threaded
Open this post in threaded view
|

Re: SASL LOGIN authentication failed

Bill Cole-3
In reply to this post by @lbutlr
On 13 May 2018, at 1:27 (-0400), @lbutlr wrote:

> On 2018-05-12 (23:01 MDT), Viktor Dukhovni
> <[hidden email]> wrote:
>>
>>> On May 13, 2018, at 12:42 AM, @lbutlr <[hidden email]> wrote:
>>>
>>> In these log lines, what is "UGFzc3dvcmQ6"?
>>>
>>> May 12 07:52:07 mail submit-tls/smtpd[32670]: warning:
>>> vps1590651.vs.webtropia-customer.com[62.141.41.104]: SASL LOGIN
>>> authentication failed: UGFzc3dvcmQ6
>>
>> $ printf "%s\n" $(printf "%s\n" UGFzc3dvcmQ6 | openssl base64 -d)
>> Password:
>
> So, is that what the morons tried to login with (I have a few others
> that using your snippet decode to "Username:" (VXNlcm5hbWU6), they are
> trying to login with a base64 encode of "Usernae:" or "Password:"?

No, Postfix is logging the stage of an authentication failure in the
SASL LOGIN mechanism. It would be unwise to routinely log the wrong
credentials used by people who typo a username or password or by bots
that have a list of username+password combinations acquired elsewhere.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole