attempted login with seemingly random charachters

keat63

• May 08, 2015 02:07

I've seen a lot of these attempted connections over night, from different IP's and country codes. 2015-05-07 11:57:15 dovecot_plain authenticator failed for (admin-PC) [182.70.72.144]:26649: 535 Incorrect authentication data (set_id=oqdwf8qujt) What I don't understand is the set_id. Each attempt has been what appears to be random characters. Am i correct in assuming that they are trying to log in to an email account called "oqdwf8qujt"

• 

  cPanelMichael

  • May 08, 2015 12:53

  Hello,

  Am i correct in assuming that they are trying to log in to an email account called "oqdwf8qujt"

  
  Yes, that is correct. It's likely a brute force attempt to find a working email account/password combination. Thank you.

  0
• 

  keat63

  • May 11, 2015 13:16

  Just to clarify would the set_id be an email address or password hacking attempt ?

  0
• 

  cPanelMichael

  • May 11, 2015 14:56

  Just to clarify would the set_id be an email address or password hacking attempt ?

  
  It's a username/password combination the brute force attack is attempting to guess. The method used can vary (e.g. trying one password with multiple email accounts vs. trying one email account with multiple passwords). Thank you.

  0
• 

  keat63

  • May 12, 2015 07:27

  I'm currently set very very strict. One failed attempt and they are blocked anyway, so they soon run out of IP's. Plus all the email passwords are strong.

  0
• 

  cre8gr

  • May 12, 2015 10:30

  I'm getting hundred of emails from CSF today telling me the same thing: 2015-05-12 12:10:09 dovecot_plain authenticator failed for (BECOY-PC) [SPAMMER IP]:53606: 535 Incorrect authentication data ([EMAIL='set_id=email@mail.yacht-mydarlings.com">set_id=email@mail.domain.com[/EMAIL]) It's from different countries and only on this domain. This domain doesn't have any mail account setup so he won't login. But I'm having hundreds upon hundreds of temporary blocks in CSF today... What's going on?

  0
• 

  Infopro

  • May 12, 2015 10:42

  You can modify your CSF alerts for these in this section of CSF: Login Failure Blocking and Alerts

  0
• 

  keat63

  • May 14, 2015 07:05

  One day last week i had in excess of 1500 in a 24 hour period. I don't know how many exactly, but my whole csf blacklist had been refreshed over night, so the actual fiugure could have run in to multiple thousands for all i know. Again, some of which were trying to log in to accounts that didn't exist

  0

Please sign in to leave a comment.