Phil (Medway Hosting) wrote: > Hi All > > I am getting a lot of entries like these in my logs over the last few days: > > 2007-09-23 05:00:08 fixed_login authenticator failed for (windows) > [64.62.22.218]:8204 I=[84.40.17.13]:25: 535 Incorrect authentication data > (set_id=maxwell) [snip] > 2007-09-23 05:00:16 fixed_login authenticator failed for (windows) > [64.62.22.218]:8634 I=[84.40.17.12]:25: 535 Incorrect authentication data > (set_id=stephani) > > Am I right in thinking this is a spam dictionary attack from "cr4p sp4mm3r > s0ftw4re" or hack attempts to send via my server ? I tried searching for > info, and plenty of examples but no explanations ! >
I've had a few of these too. I believe it's just a bot attempting an automated attack as I've had them on try on sequential IP addresses. They are usually also on zen.spamhaus.org. Pretty sure the aim is to find correct login details so they can use your servers to spam the crap out of everyone. Creating something in the smtp_auth_acl to temporarily firewall these computers is on my TODO list. On a side note - why they are doing this? I've noticed a significant drop in attempts to send spam directly to my servers from a few spam botnets. Possibly an entire botnet has stopped sending. Conversely, there has been an increase of ISP SMTP relays, webmail services and other indirect spam. Some of the spammers may finally be noticing that you can knock out 99.999999% of spam by simply stopping the easy to spot bots. I say some because the ones sending to the spam traps and increased their efforts 10 fold over the past few months. -- The Exim Manual http://www.exim.org/docs.html http://www.exim.org/exim-html-current/doc/html/spec_html/index.html -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
