Miscreant keeps attacking email

jeffschips

• March 24, 2025 15:23
• Edited

A hacker keeps hitting against my server:

exim logs set_id=name@domain.com 

exim logs:

2025-03-24 09:36:32 dovecot_plain authenticator failed for (xxxxxx.in) [xxxxxxx]:36052 I=[xxxxxxxx]:465: 535 Incorrect authentication data (set_id=name@domain.com)

I want to block this user "name@domain.com" from hitting my server and who originates from multiple countries. 

Is there a way to block based on originating "set_id" which is always the same name.

Thanks.

 

 

 

 

• 

  cPRex Jurassic Moderator

  • March 24, 2025 16:26

  Hey there!  Would the WHM >> Filter Incoming Emails by Domain tool work for this situation?  It would block the entire *.domain.com, but that's likely the easiest option.

  0
• 

  jeffschips

  • March 24, 2025 22:59
  • Edited

  It's not an email inbound it's a hacker trying to brute force a login name.  They always try the same name@domain.com (a user on my system) with a bad password, always for dovecot_plain authenticator.  They are trying to login to the email system to send out spam or malicious files.  

  0
• 

  cPRex Jurassic Moderator

  • March 24, 2025 23:22

  Is cPHulk not picking it up?  The default settings are 15 failed attempts, but you can always lower that value, and it also has an IP blocking feature with 5 failed attempts from the same IP as the default.

  0
• 

  jeffschips

  • March 24, 2025 23:55

  Here is what the exim ogs show:

  2025-03-24 16:12:31 dovecot_login authenticator failed for ([1xx.28.226.1xx]) [xxx.28.xxx.xxx]:37375 I=[xx.xx.xxx.xxx]:587: 535 Incorrect authentication data (set_id=paris@domain-name.com)
  2025-03-24 16:33:56 dovecot_plain authenticator failed for (2xx-197-1xx-1xx.static.xxx.com) [xxx.xxx.153.xxx]:50927 I=[xx.xx.xx.xxx]:465: 535 Incorrect authentication data (set_id=jasper@domain-name.com)

   

  0

Please sign in to leave a comment.