Email break in / attack attempt ?

Duboux

Duboux

Verified User
Joined
Apr 20, 2007
Messages
244
Hi, I was looking at my exim mainlog, and noticed ALOT of lines like these:

2007-08-17 13:38:27 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=admin)
2007-08-17 13:38:28 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=admin)
2007-08-17 13:38:28 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=admin)
2007-08-17 13:38:28 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=admin)
2007-08-17 13:38:28 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=admin)
2007-08-17 13:38:49 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=root)
2007-08-17 13:38:50 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=root)
2007-08-17 13:38:50 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=root)
2007-08-17 13:38:51 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=root)
2007-08-17 13:38:51 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=root)
2007-08-17 13:38:51 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=root)
2007-08-17 13:39:10 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=test)
2007-08-17 13:39:11 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=test)
2007-08-17 13:39:11 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=test)
2007-08-17 13:39:11 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=test)
2007-08-17 13:39:11 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=test)
2007-08-17 13:39:11 H=(UATIM-382DBAFEF) [59.35.5.174] incomplete transaction (RSET) from <uycgk@*****>
2007-08-17 13:39:11 H=(UATIM-382DBAFEF) [59.35.5.174] F=<bfilqt@*****> rejected RCPT <[email protected]>: authentication required
2007-08-17 13:39:12 H=(UATIM-382DBAFEF) [59.35.5.174] incomplete transaction (RSET) from <bfilqt@*****>
2007-08-17 13:39:12 H=(UATIM-382DBAFEF) [59.35.5.174] F=<bfilqt@*****> rejected RCPT <[email protected]>: authentication required
2007-08-17 13:39:12 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=test)
2007-08-17 13:39:12 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=test)
2007-08-17 13:39:12 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=test)
2007-08-17 13:39:12 H=(UATIM-382DBAFEF) [59.35.5.174] incomplete transaction (RSET) from <bfilqt@*****>
2007-08-17 13:39:12 H=(UATIM-382DBAFEF) [59.35.5.174] F=<kosv@*****> rejected RCPT <[email protected]>: authentication required
2007-08-17 13:39:58 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=demo)
2007-08-17 13:39:58 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=demo)
2007-08-17 13:39:58 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=master)
2007-08-17 13:39:58 SMTP call from (UATIM-382DBAFEF) [59.35.5.174] dropped: too many nonmail commands (last was "AUTH")
2007-08-17 13:39:58 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=demo)
2007-08-17 13:39:59 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=master)
2007-08-17 13:39:59 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=demo)
2007-08-17 13:40:00 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=demo)
2007-08-17 13:40:00 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=demo)
2007-08-17 13:40:00 SMTP call from (UATIM-382DBAFEF) [59.35.5.174] dropped: too many nonmail commands (last was "AUTH")
2007-08-17 13:40:00 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=master)
2007-08-17 13:40:01 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=demo)
2007-08-17 13:40:01 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=master)
2007-08-17 13:40:02 SMTP call from (UATIM-382DBAFEF) [59.35.5.174] dropped: too many nonmail commands (last was "AUTH")
2007-08-17 13:40:02 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=master)
2007-08-17 13:40:03 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=demo)
2007-08-17 13:40:03 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=master)
2007-08-17 13:40:04 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=demo)
2007-08-17 13:40:05 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=master)
2007-08-17 13:40:06 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=demo)
2007-08-17 13:40:06 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=demo)
2007-08-17 13:40:07 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=demo)
2007-08-17 13:40:07 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=company)
2007-08-17 13:40:07 login authenticator failed for (UATIM-382DBAFEF) [59.35.5.174]: 535 Incorrect authentication data (set_id=demo)
2007-08-17 13:40:07 SMTP call from (UATIM-382DBAFEF) [59.35.5.174] dropped: too many nonmail commands (last was "AUTH")
Click to expand...

The ***** is the hostname of the main server-ip.

It looks like some kind breaking an entrance / attack attempt.
And it looks like it has been blocked well by Exim (with SpamBlocker2.21 and ClamAV).

Is there anything we & I can learn from this, was it trying to get in via known or unknown holes ?
And perhaps is there some other logs that are interesting in checking out ?
And is there a way to like auto-block the ip after many attempts like these ?

Thanx
 
Last edited:
Yah if I had my way I would block China-Net all together. Unfortunately I have a U.S. customer that works with a dropship supplier in China who is on a DHCP and bounces around on a large spectrum of IPs. I could probably drop the spam load and attempted exploit load on the servers by 80% if I did block them.

In your case I think this might help. In the command area of your exim.conf add this.

smtp_accept_max_nonmail = 5

There is no reason for a server to send a nonmail command in my own experience. This give them 5 mistakes and closes the connection. This has helped with the load on my machines and I have never had any customer complaints because of it. You might also want to add some or all of these.

smtp_banner = "SMTP"
smtp_receive_timeout = 5m
smtp_accept_max = 20
message_body_visible = 2000
print_topbitchars = true
smtp_accept_max_nonmail = 5
smtp_max_unknown_commands = 5
smtp_accept_max_per_host = 5

As you can tell 5 seems to be my magick number.

BigWil
 
Thanx BigWill :)

What does smtp_banner = "SMTP" do ?

And btw, I blocked that ip as well.
 
Last edited:
It reduces the banner to keep hackers and kiddies from identifying the mail server. The less information they have the better.

BigWil
 
You must log in or register to reply here.
Back
Top