• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Trends & Patterns in E-mail Attacks

E

Eric Pretorious

Regular Pleskian
In the proces of writing a daemon to monitor and respond to failed login attempts, I noticed this pattern repeated numerous times every day:
  1. Five simultaneous connections - never any more, never any less:
    Code: 
    Sep  9 04:00:34 www postfix/smtpd[444]: connect from 592329.soborka.net[94.158.158.194]
Sep  9 04:00:34 www postfix/smtpd[446]: connect from host-94-158-158-194.soborka.net[94.158.158.194]
Sep  9 04:00:34 www postfix/smtpd[447]: connect from host-94-158-158-194.soborka.net[94.158.158.194]
Sep  9 04:00:34 www postfix/smtpd[449]: connect from 592329.soborka.net[94.158.158.194]
Sep  9 04:00:34 www postfix/smtpd[450]: connect from 592329.soborka.net[94.158.158.194]
  2. Followed by five simultaneous authentication failures:
    Code: 
    Sep  9 04:00:34 www postfix/smtpd[444]: warning: 592329.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
...
Sep  9 04:00:34 www postfix/smtpd[446]: warning: host-94-158-158-194.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
...
Sep  9 04:00:34 www postfix/smtpd[447]: warning: host-94-158-158-194.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
...
Sep  9 04:00:34 www postfix/smtpd[449]: warning: 592329.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
...
Sep  9 04:00:34 www postfix/smtpd[450]: warning: 592329.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
Has anyone else been noticing the same pattern?
 
Last edited:
Most standard configurations for "fail2ban", or other log - scanning tools for malicious signs, count to "5" attempts, before the possible intruder / hacker / bot / script / or what ever.. is banned over iptables, firewall rules or other ways to stop the attempts. Most of the scripts/bots aren't aware of being blocked and still continue their attempts, even that the desired ip/network is unreachable for it, That's why the script kiddies changed some scripts/bots to a maximum of 5 attempts per hour/day/week; which isn't really a new information, when you read several security discussion boards. For that reason you should investigate your logs from time to time, so you can adjust your configurations to the actual conditions. ^^
 
UFHH01 said:
Most standard configurations for "fail2ban", or other log - scanning tools for malicious signs, count to "5" attempts, before the possible intruder / hacker / bot / script / or what ever.. is banned over iptables, firewall rules or other ways to stop the attempts. Most of the scripts/bots aren't aware of being blocked and still continue their attempts, even that the desired ip/network is unreachable for it, That's why the script kiddies changed some scripts/bots to a maximum of 5 attempts per hour/day/week; which isn't really a new information, when you read several security discussion boards. For that reason you should investigate your logs from time to time, so you can adjust your configurations to the actual conditions. ^^
Click to expand...

Thanks, UFHH01!
 
You must log in or register to reply here.

Similar threads

wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
2K
mizar
mizar
N
Issue Problem: SASL PLAIN authentication failed
Replies
3
Views
747
Vladimir C.
V
wakabayashi
Question SMTP Firewall - is it possible to block brutforce attacks?
Replies
3
Views
635
Vladimir C.
V
A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
2K
Peter Debik
P
J
Resolved 25: Connection timed out - Almalinux 9.4 x86_64 | 18.0.61.1
Replies
2
Views
2K
josemanuuxd
J
Back
Top