Spammers attempting SASL auth.

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Spammers attempting SASL auth.

Simon Brereton-2
Hi

This is a new one on me - I've never seen spammers attempt to use to SASL Auth to inject spam.  Has anyone else seen this?

Oct 17 15:07:16 mail postfix/smtpd[14422]: connect from unknown[208.86.147.92]
Oct 17 15:07:16 mail dovecot: auth(default): passdb([hidden email],208.86.147.92): Attempted login with password having illegal chars
Oct 17 15:07:17 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<[hidden email]>, method=PLAIN, rip=208.86.147.92, lip=83.170.64.84
Oct 17 15:07:18 mail postfix/smtpd[14403]: warning: 208.86.147.92: hostname default-208-86-147-92.nsihosting.net verification failed: Name or service not known


Simon

Reply | Threaded
Open this post in threaded view
|

Re: Spammers attempting SASL auth.

Reindl Harald-2


Am 17.10.2011 17:13, schrieb Simon Brereton:
> Hi
>
> This is a new one on me - I've never seen spammers attempt to use to SASL Auth to inject spam.  Has anyone else seen this?
>
> Oct 17 15:07:16 mail postfix/smtpd[14422]: connect from unknown[208.86.147.92]
> Oct 17 15:07:16 mail dovecot: auth(default): passdb([hidden email],208.86.147.92): Attempted login with password having illegal chars
> Oct 17 15:07:17 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<[hidden email]>, method=PLAIN, rip=208.86.147.92, lip=83.170.64.84
> Oct 17 15:07:18 mail postfix/smtpd[14403]: warning: 208.86.147.92: hostname default-208-86-147-92.nsihosting.net verification failed: Name or service not known

yes, dictionary attacks on all sort of ports are common


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Spammers attempting SASL auth.

Simon Brereton-2
In reply to this post by Simon Brereton-2
On 17 October 2011 11:38, John Hinton <[hidden email]> wrote:

> On 10/17/2011 11:13 AM, Simon Brereton wrote:
>>
>> Hi
>>
>> This is a new one on me - I've never seen spammers attempt to use to SASL
>> Auth to inject spam.  Has anyone else seen this?
>>
>> Oct 17 15:07:16 mail postfix/smtpd[14422]: connect from
>> unknown[208.86.147.92]
>> Oct 17 15:07:16 mail dovecot: auth(default):
>> passdb([hidden email],208.86.147.92): Attempted login with password
>> having illegal chars
>> Oct 17 15:07:17 mail dovecot: pop3-login: Disconnected (auth failed, 1
>> attempts): user=<[hidden email]>, method=PLAIN, rip=208.86.147.92,
>> lip=83.170.64.84
>> Oct 17 15:07:18 mail postfix/smtpd[14403]: warning: 208.86.147.92:
>> hostname default-208-86-147-92.nsihosting.net verification failed: Name or
>> service not known
>>
>>
>> Simon
>>
> I use Fail2Ban to block (automatic firewall) these attempts. You can't be
> too restrictive or you'll block real users trying to set up their email
> accounts. Fail2Ban can be set to do a Whois lookup on the offending IP
> address. If I see it is a US provider, I normally forward the message to the
> abuse@ address and more times than not, they take care of the kiddie script
> problem.
>
> Basically, they run dictionary attacks on every service available to the
> public.

Hi John - I can see it is a dictionary attack.  I get loads of them
and they don't worry me -  I've just never had one try to authenticate
for the purpose of sending spam.  All these attempts failed because
the users they were trying (newsletter, test, dummy, etc) don't exist.
 I've already asked over at the Dovecot list what happens if they hit
a real user...  In the meantime I need to update my dovecot jail.

I just wondered if anyone else had seen a brute-force attack on SASL before..

Does your approach for sending to abuse work for Roadrunner?  I have
1000 pings a day from a host on RR cable and when I tried to email
[hidden email], the connection timed out and the mail sits in the queue
for 5 days before timing out.

Simon

Reply | Threaded
Open this post in threaded view
|

Re: Spammers attempting SASL auth.

Robert Schetterer
Am 17.10.2011 17:50, schrieb Simon Brereton:

> On 17 October 2011 11:38, John Hinton <[hidden email]> wrote:
>> On 10/17/2011 11:13 AM, Simon Brereton wrote:
>>>
>>> Hi
>>>
>>> This is a new one on me - I've never seen spammers attempt to use to SASL
>>> Auth to inject spam.  Has anyone else seen this?
>>>
>>> Oct 17 15:07:16 mail postfix/smtpd[14422]: connect from
>>> unknown[208.86.147.92]
>>> Oct 17 15:07:16 mail dovecot: auth(default):
>>> passdb([hidden email],208.86.147.92): Attempted login with password
>>> having illegal chars
>>> Oct 17 15:07:17 mail dovecot: pop3-login: Disconnected (auth failed, 1
>>> attempts): user=<[hidden email]>, method=PLAIN, rip=208.86.147.92,
>>> lip=83.170.64.84
>>> Oct 17 15:07:18 mail postfix/smtpd[14403]: warning: 208.86.147.92:
>>> hostname default-208-86-147-92.nsihosting.net verification failed: Name or
>>> service not known
>>>
>>>
>>> Simon
>>>
>> I use Fail2Ban to block (automatic firewall) these attempts. You can't be
>> too restrictive or you'll block real users trying to set up their email
>> accounts. Fail2Ban can be set to do a Whois lookup on the offending IP
>> address. If I see it is a US provider, I normally forward the message to the
>> abuse@ address and more times than not, they take care of the kiddie script
>> problem.
>>
>> Basically, they run dictionary attacks on every service available to the
>> public.
>
> Hi John - I can see it is a dictionary attack.  I get loads of them
> and they don't worry me -  I've just never had one try to authenticate
> for the purpose of sending spam.  All these attempts failed because
> the users they were trying (newsletter, test, dummy, etc) don't exist.
>  I've already asked over at the Dovecot list what happens if they hit
> a real user...  In the meantime I need to update my dovecot jail.
>
> I just wondered if anyone else had seen a brute-force attack on SASL before..
>
> Does your approach for sending to abuse work for Roadrunner?  I have
> 1000 pings a day from a host on RR cable and when I tried to email
> [hidden email], the connection timed out and the mail sits in the queue
> for 5 days before timing out.
>
> Simon
>
dont double post lists, this is a smtp attack, not imap/pop3
use i.e fail2ban postfix rules for blocking

what happens sometimes/someothercases if not brute force is,
somebody missconfigured his client, and has stuff like
try out sending mails of i.e kind an outgoing folder
in short time terms and the computer is left alone alone with this (
mostly over night )
most outlook people...
--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Reply | Threaded
Open this post in threaded view
|

Re: Spammers attempting SASL auth.

Reindl Harald-2
In reply to this post by Simon Brereton-2


Am 17.10.2011 17:50, schrieb Simon Brereton:
> Does your approach for sending to abuse work for Roadrunner?  I have
> 1000 pings a day from a host on RR cable and when I tried to email
> [hidden email], the connection timed out and the mail sits in the queue
> for 5 days before timing out

if they are not resposible via abuse/postmaster block them
if i see dictionary attacks i generally extend my "iptables-block.sh"
which is called from the global firewall-script

# 2011-10-09: Dictionary-Attack
/sbin/iptables -A INPUT -t filter -p all -s 125.234.0.42 -j DROP
/sbin/iptables -A OUTPUT -t filter -p all -s 125.234.0.42 -j DROP


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Spammers attempting SASL auth.

Stan Hoeppner
In reply to this post by Simon Brereton-2
On 10/17/2011 10:50 AM, Simon Brereton wrote:

> Does your approach for sending to abuse work for Roadrunner?  I have
> 1000 pings a day from a host on RR cable and when I tried to email
> [hidden email], the connection timed out and the mail sits in the queue
> for 5 days before timing out.

Simon if you're having zombie problems and you're not yet using
postscreen (2.8 or later required), I suggest you give my FQrDNS based
PCRE table zombie/residential blocker a spin.  It's super simple to
setup.  Instructions are included as comments in the top of the PCRE file:

http://www.hardwarefreak.com/fqrdns.pcre

You didn't provide the connection info for the rr.com woodpecker, so I
can't verify if I'm blocking it.  The table is currently blocking 7 rDNS
patterns in rr.com, most if not all of it.  If it doesn't block your
particular rr.com woodpecker please provide the connection info and I'll
write another expression to kill it, or modify an existing one.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Spammers attempting SASL auth.

Simon Brereton-2
On 17 October 2011 19:43, Stan Hoeppner <[hidden email]> wrote:

> On 10/17/2011 10:50 AM, Simon Brereton wrote:
>
>> Does your approach for sending to abuse work for Roadrunner?  I have
>> 1000 pings a day from a host on RR cable and when I tried to email
>> [hidden email], the connection timed out and the mail sits in the queue
>> for 5 days before timing out.
>
> Simon if you're having zombie problems and you're not yet using
> postscreen (2.8 or later required), I suggest you give my FQrDNS based
> PCRE table zombie/residential blocker a spin.  It's super simple to
> setup.  Instructions are included as comments in the top of the PCRE file:
>
> http://www.hardwarefreak.com/fqrdns.pcre
>
> You didn't provide the connection info for the rr.com woodpecker, so I
> can't verify if I'm blocking it.  The table is currently blocking 7 rDNS
> patterns in rr.com, most if not all of it.  If it doesn't block your
> particular rr.com woodpecker please provide the connection info and I'll
> write another expression to kill it, or modify an existing one.

Thanks Stan.  I'll check that out.  I am using postfix-policyd on 2.7.1 atm.

My woodpecker is unfortunately pecking on dovecot - so fail2ban takes
care of him every 4 failures....

Oct 17 05:26:58 mail dovecot: imap-login: Disconnected (no auth
attempts): rip=74.66.25.222, lip=83.170.64.86, TLS handshaking:
Disconnected
Oct 17 05:26:58 mail dovecot: imap-login: Disconnected (no auth
attempts): rip=74.66.25.222, lip=83.170.64.86, TLS handshaking:
Disconnected
Oct 17 05:47:00 mail dovecot: imap-login: Disconnected (no auth
attempts): rip=74.66.25.222, lip=83.170.64.86, TLS handshaking:
Disconnected
Oct 17 05:47:58 mail dovecot: imap-login: Disconnected (no auth
attempts): rip=74.66.25.222, lip=83.170.64.86, TLS handshaking:
Disconnected
Oct 17 05:47:58 mail dovecot: imap-login: Disconnected (no auth
attempts): rip=74.66.25.222, lip=83.170.64.86, TLS handshaking:
Disconnected
Oct 17 05:48:58 mail dovecot: imap-login: Disconnected (no auth
attempts): rip=74.66.25.222, lip=83.170.64.86, TLS handshaking:
Disconnected
Oct 17 05:48:58 mail dovecot: imap-login: Disconnected (no auth
attempts): rip=74.66.25.222, lip=83.170.64.86, TLS handshaking:
Disconnected
Oct 17 06:09:01 mail dovecot: imap-login: Disconnected (no auth
attempts): rip=74.66.25.222, lip=83.170.64.86, TLS handshaking:
Disconnected
Oct 17 06:09:58 mail dovecot: imap-login: Disconnected (no auth
attempts): rip=74.66.25.222, lip=83.170.64.86, TLS handshaking:
Disconnected
Oct 17 06:09:58 mail dovecot: imap-login: Disconnected (no auth
attempts): rip=74.66.25.222, lip=83.170.64.86, TLS handshaking:
Disconnected
Oct 17 06:10:58 mail dovecot: imap-login: Disconnected (no auth
attempts): rip=74.66.25.222, lip=83.170.64.86, TLS handshaking:
Disconnected

Thanks to all for the help/perspective.

Simon