Hi Dave, Thank you so much for all of your help!
Just for clarification, our vpopmail logs do NOT have the http:// stuff which I'm seeing being added in your reply. It seems that the OSSEC decoder might need a new rule or updating to catch pop3 brute force attacks where the attacker doesn't send a domain name (ie user@:69.3.64.3 ... rather than [EMAIL PROTECTED]: 69.3.64.3). Daniel, can the decoder vpopmail rules be edited to catch something like the following: user@:x.x.x.x [EMAIL PROTECTED]:x.x.x.x I think this is achievable if the regex is changed to: (\S+)@\S*:(\d+.\d+.\d+.\d+)$ What do u think? Can anyone else see a problem with this? So, the decoder rule would be as follows: <decoder name="vpopmail-notfound"> <parent>vpopmail</parent> <prematch>^vchkpw-pop3: vpopmail user not </prematch> <regex offset="after_prematch">^found (\S+)@\S*:(\d+.\d+.\d+.\d+)$</regex> <order>user, srcip</order> </decoder> And lastly, how can I add custom decoder rules that would survive OSSEC updates? thx, SW Dave Lowe wrote: > Hi Steve > > Sorry, I was wrong. I cant get the brute force rule (RuleID 9952) to fire. > I have tried and tried again. No luck. > I threw 20-30 of the rule 9902 which alerted fine, but didn't trigger > rule 9952. > > Then I took a look at the decoder and the rule. > The problem is the <same_source_ip /> check. > > It appears your logs do not have a source IP. > Heres the example log submitted that the decoder was written for: > > vpopmail[2100]: vchkpw-pop3: vpopmail user not found [EMAIL PROTECTED]:x.x.x.x > > And here is an entry from yours: > Aug 12 11:53:05 mail vpopmail[4416]: vchkpw-pop3: vpopmail user not > found alan@: 69.3.64.3 <http://69.3.64.3/> <http://69.3.64.3 > <http://69.3.64.3/>> > > So, as you can see, OSSEC is unable to tell from your vpopmail log what > the source IP address is. > > Where do we go from here? > Well, vpopmail versions. Are you running the latest? If so, we can > update the decoder for vpopmail to match your log format. > > In the meantime, you could try to remove the <same_source_ip /> line > from the 5592 rule. > > Daniel, do you have any suggestions? > > > Gotta run, sorry I couldn't be of more help > > Dave Lowe > > > > On 8/15/07, *Steve West* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > > Hi Dave, > > Thanks for the reply! I've looked in the /var/ossec/etc/ossec.conf and I > do have the following entry: > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > > OSSEC is definitely reading the maillog file as I get other notices sent > to me via email as this email this morning: > > Received From: (Mail_Server77) xxx.xxx.xxx.10->/var/log/maillog > Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." > > The unfortunate thing is I get lots of emails about things that are less > significant but the important stuff like brute force attacks I never > get > and I'm at a lost as to why. :-( > > Has anyone else ever seen something similar to this? Does OSSEC might > not be reading the log file fully or skipping parts of the log entirely? > > thx, > > SW > > Dave Lowe wrote: > > Hi Steve, > > > > Can you please check to make sure that the maillog file is being > > monitored on the agent? > > The following should be in the /var/ossec/etc/ossec.conf on the > agent: > > <localfile> > > <log_format>vpopmail</log_format> > > <location>/var/log/maillog</location> > > </localfile> > > > > I just tested this out with your log sample, and it worked well. > > > > Thanks > > > > Dave Lowe > > > > > > > > On 8/14/07, *Steve West* < [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > <mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> > wrote: > > > > > > Hi, > > > > I'm trying to figure out why the OSSEC Rule ID 9952 didn't > fire even > > though I'm seeing a number of email harvesters scanning our mail > > servers? > > > > I've checked the OSSEC vpopmail rule file which contains the > following > > rules: > > > > <rule id="9902" level="5"> > > <if_sid>9900</if_sid> > > <match>vchkpw-pop3: vpopmail user not found </match> > > <group>invalid_login,</group> > > <description>Attempt to login with invalid > username.</description> > > </rule> > > > > > > <rule id="9952" level="10" frequency="8" timeframe="240"> > > <if_matched_sid>9902</if_matched_sid> > > <same_source_ip /> > > <description>POP3 brute force (email > harvesting).</description> > > <group>authentication_failures,</group> > > </rule> > > > > > > And the /var/log/maillog contains the following entries: > > > > # grep "69\.3\.64\.3" /var/log/maillog.1 > > > > Aug 12 11:52:52 mail vpopmail[4162]: vchkpw-pop3: vpopmail > user not > > found support@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:52 mail vpopmail[4165]: vchkpw-pop3: vpopmail > user not > > found support@: 69.3.64.3 <http://69.3.64.3> > <http://69.3.64.3 <http://69.3.64.3>> > > Aug 12 11:52:52 mail vpopmail[4168]: vchkpw-pop3: vpopmail > user not > > found support@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:52 mail vpopmail[4170]: vchkpw-pop3: vpopmail > user not > > found support@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:52 mail vpopmail[4171]: vchkpw-pop3: vpopmail > user not > > found info@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:52 mail vpopmail[4172]: vchkpw-pop3: vpopmail > user not > > found info@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > > > Aug 12 11:52:52 mail vpopmail[4173]: vchkpw-pop3: vpopmail > user not > > found info@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:53 mail vpopmail[4175]: vchkpw-pop3: vpopmail > user not > > found info@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:53 mail vpopmail[4187]: vchkpw-pop3: vpopmail > user not > > found help@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > <http://69.3.64.3>> > > Aug 12 11:52:53 mail vpopmail[4190]: vchkpw-pop3: vpopmail > user not > > found help@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:53 mail vpopmail[4191]: vchkpw-pop3: vpopmail > user not > > found spam@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:53 mail vpopmail[4192]: vchkpw-pop3: vpopmail > user not > > found help@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > > > Aug 12 11:52:53 mail vpopmail[4193]: vchkpw-pop3: vpopmail > user not > > found spam@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:53 mail vpopmail[4195]: vchkpw-pop3: vpopmail > user not > > found spam@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:54 mail vpopmail[4196]: vchkpw-pop3: vpopmail > user not > > found spam@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > <http://69.3.64.3>> > > Aug 12 11:52:54 mail vpopmail[4197]: vchkpw-pop3: vpopmail > user not > > found aaron@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:54 mail vpopmail[4198]: vchkpw-pop3: vpopmail > user not > > found aaron@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:54 mail vpopmail[4199]: vchkpw-pop3: vpopmail > user not > > found aaron@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > > > Aug 12 11:52:54 mail vpopmail[4200]: vchkpw-pop3: vpopmail > user not > > found aaron@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:54 mail vpopmail[4202]: vchkpw-pop3: vpopmail > user not > > found abby@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:54 mail vpopmail[4203]: vchkpw-pop3: vpopmail > user not > > found abby@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > <http://69.3.64.3>> > > Aug 12 11:52:54 mail vpopmail[4204]: vchkpw-pop3: vpopmail > user not > > found abby@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:54 mail vpopmail[4205]: vchkpw-pop3: vpopmail > user not > > found abby@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:54 mail vpopmail[4207]: vchkpw-pop3: vpopmail > user not > > found abigail@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > > > Aug 12 11:52:54 mail vpopmail[4208]: vchkpw-pop3: vpopmail > user not > > found abigail@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:54 mail vpopmail[4212]: vchkpw-pop3: vpopmail > user not > > found abigail@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:55 mail vpopmail[4218]: vchkpw-pop3: vpopmail > user not > > found aaron@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > <http://69.3.64.3>> > > Aug 12 11:52:55 mail vpopmail[4219]: vchkpw-pop3: vpopmail > user not > > found spam@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:55 mail vpopmail[4221]: vchkpw-pop3: vpopmail > user not > > found abigail@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:55 mail vpopmail[4225]: vchkpw-pop3: vpopmail > user not > > found abraham@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:55 mail vpopmail[4228]: vchkpw-pop3: vpopmail > user not > > found abraham@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > > > Aug 12 11:52:55 mail vpopmail[4230]: vchkpw-pop3: vpopmail > user not > > found abraham@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:55 mail vpopmail[4231]: vchkpw-pop3: vpopmail > user not > > found abuse@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:55 mail vpopmail[4237]: vchkpw-pop3: vpopmail > user not > > found info@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > <http://69.3.64.3>> > > Aug 12 11:52:55 mail vpopmail[4241]: vchkpw-pop3: vpopmail > user not > > found abuse@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:55 mail vpopmail[4242]: vchkpw-pop3: vpopmail > user not > > found abuse@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:55 mail vpopmail[4243]: vchkpw-pop3: vpopmail > user not > > found abuse@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > > > Aug 12 11:52:55 mail vpopmail[4244]: vchkpw-pop3: vpopmail > user not > > found abuse@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:56 mail vpopmail[4249]: vchkpw-pop3: vpopmail > user not > > found access@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:56 mail vpopmail[4252]: vchkpw-pop3: vpopmail > user not > > found help@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > <http://69.3.64.3>> > > Aug 12 11:52:56 mail vpopmail[4253]: vchkpw-pop3: vpopmail > user not > > found help@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:56 mail vpopmail[4255]: vchkpw-pop3: vpopmail > user not > > found access@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:56 mail vpopmail[4258]: vchkpw-pop3: vpopmail > user not > > found account@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:56 mail vpopmail[4259]: vchkpw-pop3: vpopmail > user not > > found access@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > > > Aug 12 11:52:56 mail vpopmail[4260]: vchkpw-pop3: vpopmail > user not > > found account@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:56 mail vpopmail[4262]: vchkpw-pop3: vpopmail > user not > > found account@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:56 mail vpopmail[4264]: vchkpw-pop3: vpopmail > user not > > found account@: 69.3.64.3 <http://69.3.64.3> > <http://69.3.64.3 <http://69.3.64.3>> > > Aug 12 11:52:56 mail vpopmail[4265]: vchkpw-pop3: vpopmail > user not > > found account@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:56 mail vpopmail[4266]: vchkpw-pop3: vpopmail > user not > > found accounts@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:57 mail vpopmail[4267]: vchkpw-pop3: vpopmail > user not > > found support@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:57 mail vpopmail[4271]: vchkpw-pop3: vpopmail > user not > > found accounts@: 69.3.64.3 <http://69.3.64.3> > <http://69.3.64.3 <http://69.3.64.3>> > > Aug 12 11:52:57 mail vpopmail[4273]: vchkpw-pop3: vpopmail > user not > > found accounts@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:57 mail vpopmail[4275]: vchkpw-pop3: vpopmail > user not > > found accounts@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:57 mail vpopmail[4277]: vchkpw-pop3: vpopmail > user not > > found abby@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > <http://69.3.64.3>> > > Aug 12 11:52:57 mail vpopmail[4280]: vchkpw-pop3: vpopmail > user not > > found adam@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:57 mail vpopmail[4281]: vchkpw-pop3: vpopmail > user not > > found adam@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:57 mail vpopmail[4282]: vchkpw-pop3: vpopmail > user not > > found adam@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > > > Aug 12 11:52:57 mail vpopmail[4283]: vchkpw-pop3: vpopmail > user not > > found adam@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:57 mail vpopmail[4285]: vchkpw-pop3: vpopmail > user not > > found adam@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:57 mail vpopmail[4286]: vchkpw-pop3: vpopmail > user not > > found adm@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > <http://69.3.64.3>> > > Aug 12 11:52:58 mail vpopmail[4289]: vchkpw-pop3: vpopmail > user not > > found adm@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:58 mail vpopmail[4291]: vchkpw-pop3: vpopmail > user not > > found adm@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:58 mail vpopmail[4292]: vchkpw-pop3: vpopmail > user not > > found adm@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:58 mail vpopmail[4293]: vchkpw-pop3: vpopmail > user not > > found admin@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:58 mail vpopmail[4295]: vchkpw-pop3: vpopmail > user not > > found abigail@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:58 mail vpopmail[4296]: vchkpw-pop3: vpopmail > user not > > found abraham@: 69.3.64.3 <http://69.3.64.3> > <http://69.3.64.3 <http://69.3.64.3>> > > Aug 12 11:52:58 mail vpopmail[4297]: vchkpw-pop3: vpopmail > user not > > found admin@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:58 mail vpopmail[4304]: vchkpw-pop3: vpopmail > user not > > found admin@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:58 mail vpopmail[4305]: vchkpw-pop3: vpopmail > user not > > found access@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > > > Aug 12 11:52:58 mail vpopmail[4306]: vchkpw-pop3: vpopmail > user not > > found access@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:59 mail vpopmail[4309]: vchkpw-pop3: vpopmail > user not > > found admin@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:59 mail vpopmail[4310]: vchkpw-pop3: vpopmail > user not > > found admin@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > <http://69.3.64.3>> > > Aug 12 11:52:59 mail vpopmail[4314]: vchkpw-pop3: vpopmail > user not > > found admin2@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:59 mail vpopmail[4315]: vchkpw-pop3: vpopmail > user not > > found admin2@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:59 mail vpopmail[4316]: vchkpw-pop3: vpopmail > user not > > found admin2@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:52:59 mail vpopmail[4317]: vchkpw-pop3: vpopmail > user not > > found admin2@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > > > Aug 12 11:52:59 mail vpopmail[4318]: vchkpw-pop3: vpopmail > user not > > found admin2@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:52:59 mail vpopmail[4320]: vchkpw-pop3: vpopmail > user not > > found adrian@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:53:00 mail vpopmail[4322]: vchkpw-pop3: vpopmail > user not > > found adrian@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > <http://69.3.64.3>> > > Aug 12 11:53:00 mail vpopmail[4323]: vchkpw-pop3: vpopmail > user not > > found adrian@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:53:00 mail vpopmail[4324]: vchkpw-pop3: vpopmail > user not > > found aerial@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:53:00 mail vpopmail[4328]: vchkpw-pop3: vpopmail > user not > > found adm@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:53:01 mail vpopmail[4330]: vchkpw-pop3: vpopmail > user not > > found aerial@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > > > Aug 12 11:53:01 mail vpopmail[4356]: vchkpw-pop3: vpopmail > user not > > found accounts@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:53:01 mail vpopmail[4357]: vchkpw-pop3: vpopmail > user not > > found aerial@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:53:01 mail vpopmail[4360]: vchkpw-pop3: vpopmail > user not > > found aerial@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > <http://69.3.64.3>> > > Aug 12 11:53:02 mail vpopmail[4363]: vchkpw-pop3: vpopmail > user not > > found agent@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:53:02 mail vpopmail[4364]: vchkpw-pop3: vpopmail > user not > > found aerial@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:53:02 mail vpopmail[4365]: vchkpw-pop3: vpopmail > user not > > found agent@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:53:02 mail vpopmail[4366]: vchkpw-pop3: vpopmail > user not > > found agent@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > > > Aug 12 11:53:02 mail vpopmail[4367]: vchkpw-pop3: vpopmail > user not > > found agent@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:53:02 mail vpopmail[4369]: vchkpw-pop3: vpopmail > user not > > found adrian@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:53:02 mail vpopmail[4380]: vchkpw-pop3: vpopmail > user not > > found alan@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > <http://69.3.64.3>> > > Aug 12 11:53:02 mail vpopmail[4382]: vchkpw-pop3: vpopmail > user not > > found alan@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:53:02 mail vpopmail[4387]: vchkpw-pop3: vpopmail > user not > > found adrian@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:53:03 mail vpopmail[4389]: vchkpw-pop3: vpopmail > user not > > found alan@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:53:03 mail vpopmail[4392]: vchkpw-pop3: vpopmail > user not > > found albert@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > > > Aug 12 11:53:03 mail vpopmail[4393]: vchkpw-pop3: vpopmail > user not > > found albert@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:53:03 mail vpopmail[4394]: vchkpw-pop3: vpopmail > user not > > found albert@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:53:03 mail vpopmail[4396]: vchkpw-pop3: vpopmail > user not > > found albert@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 > <http://69.3.64.3>> > > Aug 12 11:53:04 mail vpopmail[4398]: vchkpw-pop3: vpopmail > user not > > found albert@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3> > > Aug 12 11:53:04 mail vpopmail[4404]: vchkpw-pop3: vpopmail > user not > > found alberto@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > Aug 12 11:53:05 mail vpopmail[4416]: vchkpw-pop3: vpopmail > user not > > found alan@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3> > > > > > > [EMAIL PROTECTED] ~]# grep "69\.3\.64\.3" -c /var/log/maillog.1 > > 103 > > > > > > > > > > >
