Hi Francis, I had a look at the tcpdump, and I can see the LOGIN command, but the data is encoded.
Is there an algorithm that will decode it? Obviously there is one IN xmail, but I'm no C programmer to knock something up !! I've got tcpdump saving to a cap file, then I'll install wireshark and view it a little easier - perhaps Wireshark will decode it for my viewing? Rob :-) -----Original Message----- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of Rob Arends Sent: Thursday, January 20, 2011 12:28 AM To: 'XMail Users Mailing List' Subject: Re: [xmail] Knowing who is failing Auth Logins Hi Francis, Yes I was afraid of that. I was hoping that someone had extended the source so that the log file reported the attempted username. Rob :-) -----Original Message----- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of fcxm...@aquinet.net Sent: Wednesday, January 19, 2011 6:33 PM To: 'XMail Users Mailing List' Subject: Re: [xmail] Knowing who is failing Auth Logins Hello Rob Nothing to do in xmail to get more information, except to run it in debug mode, perhabs Why not trying to schedule a tcpdump on smtp port 25 for the time period you want (5mn before xx:00 up to 5mn after xx:00 for some days) ? Then you could find more information in the tcp dump (like auth attempt and values, or exact smtp commands send) Francis -----Message d'origine----- De : xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org]De la part de Rob Arends Envoye : mardi 18 janvier 2011 14:43 A : xmail@xmailserver.org Objet : [xmail] Knowing who is failing Auth Logins Hello, I'm running xmail 1.27 on RHEL5.5 The SMTP logs are showing a single AUTH=EFAIL:TYPE=LOGIN every hour at xx:00 hours. It is coming from the same PC I believe, although IP changes, the ISP and area indicated by the rDNS suggests it is the same PC. Most mail clients attempt POP3 more than once an hour, so I'm suspicious. The logs don't indicate the username in the login attempt. Is there any way to report on the username that is being used in the attempt. If nothing else I can contact the user. However if it is a low speed dictionary attack, I'd like to be able to identify that and take some action. Any ideas? Rob :-) _______________________________________________ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail _______________________________________________ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail _______________________________________________ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail