• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Trends & Patterns in E-mail Attacks

E

Eric Pretorious

Regular Pleskian
In the proces of writing a daemon to monitor and respond to failed login attempts, I noticed this pattern repeated numerous times every day:
  1. Five simultaneous connections - never any more, never any less:
    Code: 
    Sep  9 04:00:34 www postfix/smtpd[444]: connect from 592329.soborka.net[94.158.158.194]
Sep  9 04:00:34 www postfix/smtpd[446]: connect from host-94-158-158-194.soborka.net[94.158.158.194]
Sep  9 04:00:34 www postfix/smtpd[447]: connect from host-94-158-158-194.soborka.net[94.158.158.194]
Sep  9 04:00:34 www postfix/smtpd[449]: connect from 592329.soborka.net[94.158.158.194]
Sep  9 04:00:34 www postfix/smtpd[450]: connect from 592329.soborka.net[94.158.158.194]
  2. Followed by five simultaneous authentication failures:
    Code: 
    Sep  9 04:00:34 www postfix/smtpd[444]: warning: 592329.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
...
Sep  9 04:00:34 www postfix/smtpd[446]: warning: host-94-158-158-194.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
...
Sep  9 04:00:34 www postfix/smtpd[447]: warning: host-94-158-158-194.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
...
Sep  9 04:00:34 www postfix/smtpd[449]: warning: 592329.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
...
Sep  9 04:00:34 www postfix/smtpd[450]: warning: 592329.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
Has anyone else been noticing the same pattern?
 
Last edited:
Most standard configurations for "fail2ban", or other log - scanning tools for malicious signs, count to "5" attempts, before the possible intruder / hacker / bot / script / or what ever.. is banned over iptables, firewall rules or other ways to stop the attempts. Most of the scripts/bots aren't aware of being blocked and still continue their attempts, even that the desired ip/network is unreachable for it, That's why the script kiddies changed some scripts/bots to a maximum of 5 attempts per hour/day/week; which isn't really a new information, when you read several security discussion boards. For that reason you should investigate your logs from time to time, so you can adjust your configurations to the actual conditions. ^^
 
UFHH01 said:
Most standard configurations for "fail2ban", or other log - scanning tools for malicious signs, count to "5" attempts, before the possible intruder / hacker / bot / script / or what ever.. is banned over iptables, firewall rules or other ways to stop the attempts. Most of the scripts/bots aren't aware of being blocked and still continue their attempts, even that the desired ip/network is unreachable for it, That's why the script kiddies changed some scripts/bots to a maximum of 5 attempts per hour/day/week; which isn't really a new information, when you read several security discussion boards. For that reason you should investigate your logs from time to time, so you can adjust your configurations to the actual conditions. ^^
Click to expand...

Thanks, UFHH01!
 
You must log in or register to reply here.

Similar threads

wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
3K
mizar
mizar
N
Issue Problem: SASL PLAIN authentication failed
Replies
3
Views
1K
Vladimir C.
V
wakabayashi
Question SMTP Firewall - is it possible to block brutforce attacks?
Replies
3
Views
1K
Vladimir C.
V
A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
2K
Peter Debik
P
J
Resolved 25: Connection timed out - Almalinux 9.4 x86_64 | 18.0.61.1
Replies
2
Views
3K
josemanuuxd
J
Back
Top