Hi Francis, I have solved this, and then read your mail below. I basically did what you wrote.
Wireshark did not decode for me, but I found that each attempt was the same user/password. I just used the text shown in Wireshark and pasted into some online base64 en/decoder. As they were all the same encoded text, I began to suspect a user and not an attack. Here's the egg.... It was my father's ADSL router attempting to send it's log to me. The same one I configured a couple of months ago to send me the log, so I could use the src IP in a poor man's dynamic-dns resolver. Except I typo'd the SMTP auth user name. :-( The key to it was that he usually leaves his PC on, and I was suspecting an infection of some kind, but today he is away and turned it off. So it started me thinking, if his PC is off, what could be sending from his IP address -> the router !!! Thanks to all. (Still would be nice if the pop3/smtp logs showed the user-id used in a failed login attempt. It would help tracking the source down.) Rob :-) -----Original Message----- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of fcxm...@aquinet.net Sent: Thursday, January 20, 2011 4:28 AM To: 'XMail Users Mailing List' Subject: Re: [xmail] Knowing who is failing Auth Logins Rob, I don't know if wireshark can decode, but depending of the LOGIN method attempted : AUTH PLAIN method In this case the login and password are just "encoded" (not encrypted) in Base64 in the next client packet after the server 334 response AUTH LOGIN method Again login and password ar just "encoded" in Base64 but send in two sequences (first 334 server, then client send login, then server send 334 then client send passord) In these to cases I think you could easily find on the net a Base64 'decoder' (probably a web page with a javascipt form doing the decode) :) if AUTH CRAM-MD5, it is more complicated, because it use a 'challenge' (encoded in base64), then MD5 encryption with the password as the key on the challenge More explanations here for these AUTH methods :http://www.samlogic.net/articles/smtp-commands-reference-auth.htm Expecting the 'client' use PLAIN or LOGIN to help you quickly :) Regards Francis >-----Message d'origine----- >De : xmail-boun...@xmailserver.org >[mailto:xmail-boun...@xmailserver.org]De la part de Rob Arends >Envoye : mercredi 19 janvier 2011 15:13 >A : 'XMail Users Mailing List' >Objet : Re: [xmail] Knowing who is failing Auth Logins > > >Hi Francis, > >I had a look at the tcpdump, and I can see the LOGIN command, >but the data >is encoded. > >Is there an algorithm that will decode it? Obviously there is >one IN xmail, >but I'm no C programmer to knock something up !! > >I've got tcpdump saving to a cap file, then I'll install >wireshark and view >it a little easier - perhaps Wireshark will decode it for my viewing? > >Rob :-) > >-----Original Message----- >From: xmail-boun...@xmailserver.org >[mailto:xmail-boun...@xmailserver.org] >On Behalf Of Rob Arends >Sent: Thursday, January 20, 2011 12:28 AM >To: 'XMail Users Mailing List' >Subject: Re: [xmail] Knowing who is failing Auth Logins > >Hi Francis, > >Yes I was afraid of that. >I was hoping that someone had extended the source so that the log file >reported the attempted username. > >Rob :-) > >-----Original Message----- >From: xmail-boun...@xmailserver.org >[mailto:xmail-boun...@xmailserver.org] >On Behalf Of fcxm...@aquinet.net >Sent: Wednesday, January 19, 2011 6:33 PM >To: 'XMail Users Mailing List' >Subject: Re: [xmail] Knowing who is failing Auth Logins > > >Hello Rob > >Nothing to do in xmail to get more information, except to run >it in debug >mode, perhabs > >Why not trying to schedule a tcpdump on smtp port 25 for the >time period you >want (5mn before xx:00 up to 5mn after xx:00 for some days) ? >Then you could find more information in the tcp dump (like >auth attempt and >values, or exact smtp commands send) > >Francis > > > >-----Message d'origine----- >De : xmail-boun...@xmailserver.org >[mailto:xmail-boun...@xmailserver.org]De >la part de Rob Arends > >Envoye : mardi 18 janvier 2011 14:43 >A : xmail@xmailserver.org >Objet : [xmail] Knowing who is failing Auth Logins > > >Hello, > >I'm running xmail 1.27 on RHEL5.5 > >The SMTP logs are showing a single AUTH=EFAIL:TYPE=LOGIN every >hour at xx:00 >hours. >It is coming from the same PC I believe, although IP changes, >the ISP and >area indicated by the rDNS suggests it is the same PC. >Most mail clients attempt POP3 more than once an hour, so I'm >suspicious. > >The logs don't indicate the username in the login attempt. > >Is there any way to report on the username that is being used in the >attempt. >If nothing else I can contact the user. >However if it is a low speed dictionary attack, I'd like to be able to >identify that and take some action. > >Any ideas? > >Rob :-) > >_______________________________________________ >xmail mailing list >xmail@xmailserver.org >http://xmailserver.org/mailman/listinfo/xmail > >_______________________________________________ >xmail mailing list >xmail@xmailserver.org >http://xmailserver.org/mailman/listinfo/xmail > >_______________________________________________ >xmail mailing list >xmail@xmailserver.org >http://xmailserver.org/mailman/listinfo/xmail _______________________________________________ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail _______________________________________________ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
