Skip to main content

distributed smtpauth attacks on [mailer-daemon]

Comments

3 comments

  • cPRex Jurassic Moderator

    Hey hey!  We don't support CSF, but could you post the details you're seeing here so we can see what it says?

    0
  • WorkinOnIt

    Thanks!

    Sure, here are some 

    exim rejectlog:

    2024-03-27 12:54:28 dovecot_login authenticator failed for ([203.110.83.226]) [203.110.83.226]:34522: 535 Incorrect authentication data (set_id=mailer-daemon)
    
    2024-03-27 12:44:11 dovecot_login authenticator failed for ([175.202.13.55]) [175.202.13.55]:43160: 535 Incorrect authentication data (set_id=mailer-daemon@serverhostname)
    

    The frequency seems to be every 30 - 60 seconds.

    LFD.log (lots of entries)

    Mar 27 11:36:50 servername lfd[17209099090]: 221.163.227.238 (KR/South Korea/-), 10 distributed smtpauth attacks on account [mailer-daemon@server-hostname] in the last 3600 secs - *Blocked in csf* for 3600 secs [LF_DISTATTACK]
    

     

    Now, Obviously it's a good thing that CSF is doing its job. And, I see this similar post, and I'm aware there'll be a lot of traffic, but on the mailer-daemon / server hostname, seems a bit strange and I'm wondering if I've left a door open somewhere....

     

    0
  • cPRex Jurassic Moderator

    Do you also have cPHulk enabled on the machine?  That would block any IP addresses with too many failed logins.

    I wouldn't be too worried about that address - the mailer-daemon and the hostname is an easy target for automated scripts to use to try accounts that may exist on the server.

    0

Please sign in to leave a comment.