Trends & Patterns in E-mail Attacks

[Eric Pretorious]

In the proces of writing a daemon to monitor and respond to failed login attempts, I noticed this pattern repeated numerous times every day:

1. Five simultaneous connections - never any more, never any less:
   

   Sep  9 04:00:34 www postfix/smtpd[444]: connect from 592329.soborka.net[94.158.158.194]
   Sep  9 04:00:34 www postfix/smtpd[446]: connect from host-94-158-158-194.soborka.net[94.158.158.194]
   Sep  9 04:00:34 www postfix/smtpd[447]: connect from host-94-158-158-194.soborka.net[94.158.158.194]
   Sep  9 04:00:34 www postfix/smtpd[449]: connect from 592329.soborka.net[94.158.158.194]
   Sep  9 04:00:34 www postfix/smtpd[450]: connect from 592329.soborka.net[94.158.158.194]

2. Followed by five simultaneous authentication failures:
   

   Sep  9 04:00:34 www postfix/smtpd[444]: warning: 592329.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
   ...
   Sep  9 04:00:34 www postfix/smtpd[446]: warning: host-94-158-158-194.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
   ...
   Sep  9 04:00:34 www postfix/smtpd[447]: warning: host-94-158-158-194.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
   ...
   Sep  9 04:00:34 www postfix/smtpd[449]: warning: 592329.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
   ...
   Sep  9 04:00:34 www postfix/smtpd[450]: warning: 592329.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure

Has anyone else been noticing the same pattern?

 

[UFHH01]

Most standard configurations for "fail2ban", or other log - scanning tools for malicious signs, count to "5" attempts, before the possible intruder / hacker / bot / script / or what ever.. is banned over iptables, firewall rules or other ways to stop the attempts. Most of the scripts/bots aren't aware of being blocked and still continue their attempts, even that the desired ip/network is unreachable for it, That's why the script kiddies changed some scripts/bots to a maximum of 5 attempts per hour/day/week; which isn't really a new information, when you read several security discussion boards. For that reason you should investigate your logs from time to time, so you can adjust your configurations to the actual conditions. ^^

 

[Eric Pretorious]

Most standard configurations for "fail2ban", or other log - scanning tools for malicious signs, count to "5" attempts, before the possible intruder / hacker / bot / script / or what ever.. is banned over iptables, firewall rules or other ways to stop the attempts. Most of the scripts/bots aren't aware of being blocked and still continue their attempts, even that the desired ip/network is unreachable for it, That's why the script kiddies changed some scripts/bots to a maximum of 5 attempts per hour/day/week; which isn't really a new information, when you read several security discussion boards. For that reason you should investigate your logs from time to time, so you can adjust your configurations to the actual conditions. ^^

Thanks, UFHH01!