Rob, I don't know if wireshark can decode, but depending of the LOGIN method attempted :
AUTH PLAIN method In this case the login and password are just "encoded" (not encrypted) in Base64 in the next client packet after the server 334 response AUTH LOGIN method Again login and password ar just "encoded" in Base64 but send in two sequences (first 334 server, then client send login, then server send 334 then client send passord) In these to cases I think you could easily find on the net a Base64 'decoder' (probably a web page with a javascipt form doing the decode) :) if AUTH CRAM-MD5, it is more complicated, because it use a 'challenge' (encoded in base64), then MD5 encryption with the password as the key on the challenge More explanations here for these AUTH methods :http://www.samlogic.net/articles/smtp-commands-reference-auth.htm Expecting the 'client' use PLAIN or LOGIN to help you quickly :) Regards Francis >-----Message d'origine----- >De : xmail-boun...@xmailserver.org >[mailto:xmail-boun...@xmailserver.org]De la part de Rob Arends >Envoye : mercredi 19 janvier 2011 15:13 >A : 'XMail Users Mailing List' >Objet : Re: [xmail] Knowing who is failing Auth Logins > > >Hi Francis, > >I had a look at the tcpdump, and I can see the LOGIN command, >but the data >is encoded. > >Is there an algorithm that will decode it? Obviously there is >one IN xmail, >but I'm no C programmer to knock something up !! > >I've got tcpdump saving to a cap file, then I'll install >wireshark and view >it a little easier - perhaps Wireshark will decode it for my viewing? > >Rob :-) > >-----Original Message----- >From: xmail-boun...@xmailserver.org >[mailto:xmail-boun...@xmailserver.org] >On Behalf Of Rob Arends >Sent: Thursday, January 20, 2011 12:28 AM >To: 'XMail Users Mailing List' >Subject: Re: [xmail] Knowing who is failing Auth Logins > >Hi Francis, > >Yes I was afraid of that. >I was hoping that someone had extended the source so that the log file >reported the attempted username. > >Rob :-) > >-----Original Message----- >From: xmail-boun...@xmailserver.org >[mailto:xmail-boun...@xmailserver.org] >On Behalf Of fcxm...@aquinet.net >Sent: Wednesday, January 19, 2011 6:33 PM >To: 'XMail Users Mailing List' >Subject: Re: [xmail] Knowing who is failing Auth Logins > > >Hello Rob > >Nothing to do in xmail to get more information, except to run >it in debug >mode, perhabs > >Why not trying to schedule a tcpdump on smtp port 25 for the >time period you >want (5mn before xx:00 up to 5mn after xx:00 for some days) ? >Then you could find more information in the tcp dump (like >auth attempt and >values, or exact smtp commands send) > >Francis > > > >-----Message d'origine----- >De : xmail-boun...@xmailserver.org >[mailto:xmail-boun...@xmailserver.org]De >la part de Rob Arends > >Envoye : mardi 18 janvier 2011 14:43 >A : xmail@xmailserver.org >Objet : [xmail] Knowing who is failing Auth Logins > > >Hello, > >I'm running xmail 1.27 on RHEL5.5 > >The SMTP logs are showing a single AUTH=EFAIL:TYPE=LOGIN every >hour at xx:00 >hours. >It is coming from the same PC I believe, although IP changes, >the ISP and >area indicated by the rDNS suggests it is the same PC. >Most mail clients attempt POP3 more than once an hour, so I'm >suspicious. > >The logs don't indicate the username in the login attempt. > >Is there any way to report on the username that is being used in the >attempt. >If nothing else I can contact the user. >However if it is a low speed dictionary attack, I'd like to be able to >identify that and take some action. > >Any ideas? > >Rob :-) > >_______________________________________________ >xmail mailing list >xmail@xmailserver.org >http://xmailserver.org/mailman/listinfo/xmail > >_______________________________________________ >xmail mailing list >xmail@xmailserver.org >http://xmailserver.org/mailman/listinfo/xmail > >_______________________________________________ >xmail mailing list >xmail@xmailserver.org >http://xmailserver.org/mailman/listinfo/xmail _______________________________________________ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
