[Dovecot] Spammers attempting SASL Auth

Robert Schetterer robert at schetterer.org
Mon Oct 17 18:53:33 EEST 2011


Am 17.10.2011 17:51, schrieb Simon Brereton:
> On 17 October 2011 11:31, Robert Schetterer <robert at schetterer.org> wrote:
>> Am 17.10.2011 17:16, schrieb Simon Brereton:
>>> Hi
>>>
>>> This is a new one on me - I've never seen spammers attempt to use to SASL Auth to inject spam.  None of the users they are trying (newsletter, dummy, test, etc.) exist, but what worries me is the illegal chars error - is this a known vulnerability in dovecot they are trying to exploit?  I'm running 1:1.2.15-7 installed from apt-get..
>>>
>>> Oct 17 15:07:16 mail postfix/smtpd[14422]: connect from unknown[208.86.147.92]
>>> Oct 17 15:07:16 mail dovecot: auth(default): passdb(newsletter at mydomain.net,208.86.147.92): Attempted login with password having illegal chars
>>> Oct 17 15:07:17 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<test at mydomain.net>, method=PLAIN, rip=208.86.147.92, lip=83.170.64.84
>>> Oct 17 15:07:18 mail postfix/smtpd[14403]: warning: 208.86.147.92: hostname default-208-86-147-92.nsihosting.net verification failed: Name or service not known
>>>
>>>
>>> Simon
>>>
>>
>> this maybe a brute force attack,or more easy someone missconfigured his
>> client , you may use fail2ban etc to block it
>> not directly related to dovecot
> 
> 17 queries in 30 seconds is not a misconfigured client :)
> 
> And I'm already using Fail2Ban - but as someone on this list pointed
> out recently, that doesn't apply if they try X attempts on the same
> connection.  Although, I don't think that was case here - maybe I
> should update my dovecot jail with that illegal chars line.  But, be
> that as it may - all these attempts failed because the user didn't
> exist.  What if the user exists though?  Does this illegal chars make
> a hole for them to enter through?
> 
> Simon
> 

as i posted you offlist, this is a smtp attack, look at your i.e
fail2ban postfix rules, fail2ban dovecot ruel is for banning pop3/imap
brute force

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria


More information about the dovecot mailing list