Re: [xmail] Knowing who is failing Auth Logins
On Wed, 19 Jan 2011, Rob Arends wrote: Hello, I’m running xmail 1.27 on RHEL5.5 The SMTP logs are showing a single AUTH=EFAIL:TYPE=LOGIN every hour at xx:00 hours. It is coming from the same PC I believe, although IP changes, the ISP and area indicated by the rDNS suggests it is the same PC. Most mail clients attempt POP3 more than once an hour, so I’m suspicious. The logs don’t indicate the username in the login attempt. Is there any way to report on the username that is being used in the attempt. If nothing else I can contact the user. However if it is a low speed dictionary attack, I’d like to be able to identify that and take some action. Yeah, I can see that as being useful. Will add to my queue. - Davide ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Knowing who is failing Auth Logins
-Message d'origine- De : xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org]De la part de Rob Arends Envoye : jeudi 20 janvier 2011 07:32 A : 'XMail Users Mailing List' Objet : Re: [xmail] Knowing who is failing Auth Logins Hi Francis, I have solved this, and then read your mail below. I basically did what you wrote. Wireshark did not decode for me, but I found that each attempt was the same user/password. I just used the text shown in Wireshark and pasted into some online base64 en/decoder. As they were all the same encoded text, I began to suspect a user and not an attack. Here's the egg It was my father's ADSL router attempting to send it's log to me. The same one I configured a couple of months ago to send me the log, so I could use the src IP in a poor man's dynamic-dns resolver. Except I typo'd the SMTP auth user name. :-( The key to it was that he usually leaves his PC on, and I was suspecting an infection of some kind, but today he is away and turned it off. So it started me thinking, if his PC is off, what could be sending from his IP address - the router !!! Thanks to all. (Still would be nice if the pop3/smtp logs showed the user-id used in a failed login attempt. It would help tracking the source down.) Rob :-) Yes, would be a good debug option to have them (user login and name received) written on smtp log on failed attempts (Don't remenber if in pop logs any message for failed attemps with user/pass used ... just remember a pop log setting to not write passwords on normaly 'success' attempts) ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Knowing who is failing Auth Logins
Hi Francis, Yes I was afraid of that. I was hoping that someone had extended the source so that the log file reported the attempted username. Rob :-) -Original Message- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of fcxm...@aquinet.net Sent: Wednesday, January 19, 2011 6:33 PM To: 'XMail Users Mailing List' Subject: Re: [xmail] Knowing who is failing Auth Logins Hello Rob Nothing to do in xmail to get more information, except to run it in debug mode, perhabs Why not trying to schedule a tcpdump on smtp port 25 for the time period you want (5mn before xx:00 up to 5mn after xx:00 for some days) ? Then you could find more information in the tcp dump (like auth attempt and values, or exact smtp commands send) Francis -Message d'origine- De : xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org]De la part de Rob Arends Envoye : mardi 18 janvier 2011 14:43 A : xmail@xmailserver.org Objet : [xmail] Knowing who is failing Auth Logins Hello, I'm running xmail 1.27 on RHEL5.5 The SMTP logs are showing a single AUTH=EFAIL:TYPE=LOGIN every hour at xx:00 hours. It is coming from the same PC I believe, although IP changes, the ISP and area indicated by the rDNS suggests it is the same PC. Most mail clients attempt POP3 more than once an hour, so I'm suspicious. The logs don't indicate the username in the login attempt. Is there any way to report on the username that is being used in the attempt. If nothing else I can contact the user. However if it is a low speed dictionary attack, I'd like to be able to identify that and take some action. Any ideas? Rob :-) ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Knowing who is failing Auth Logins
Hi Francis, I had a look at the tcpdump, and I can see the LOGIN command, but the data is encoded. Is there an algorithm that will decode it? Obviously there is one IN xmail, but I'm no C programmer to knock something up !! I've got tcpdump saving to a cap file, then I'll install wireshark and view it a little easier - perhaps Wireshark will decode it for my viewing? Rob :-) -Original Message- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of Rob Arends Sent: Thursday, January 20, 2011 12:28 AM To: 'XMail Users Mailing List' Subject: Re: [xmail] Knowing who is failing Auth Logins Hi Francis, Yes I was afraid of that. I was hoping that someone had extended the source so that the log file reported the attempted username. Rob :-) -Original Message- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of fcxm...@aquinet.net Sent: Wednesday, January 19, 2011 6:33 PM To: 'XMail Users Mailing List' Subject: Re: [xmail] Knowing who is failing Auth Logins Hello Rob Nothing to do in xmail to get more information, except to run it in debug mode, perhabs Why not trying to schedule a tcpdump on smtp port 25 for the time period you want (5mn before xx:00 up to 5mn after xx:00 for some days) ? Then you could find more information in the tcp dump (like auth attempt and values, or exact smtp commands send) Francis -Message d'origine- De : xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org]De la part de Rob Arends Envoye : mardi 18 janvier 2011 14:43 A : xmail@xmailserver.org Objet : [xmail] Knowing who is failing Auth Logins Hello, I'm running xmail 1.27 on RHEL5.5 The SMTP logs are showing a single AUTH=EFAIL:TYPE=LOGIN every hour at xx:00 hours. It is coming from the same PC I believe, although IP changes, the ISP and area indicated by the rDNS suggests it is the same PC. Most mail clients attempt POP3 more than once an hour, so I'm suspicious. The logs don't indicate the username in the login attempt. Is there any way to report on the username that is being used in the attempt. If nothing else I can contact the user. However if it is a low speed dictionary attack, I'd like to be able to identify that and take some action. Any ideas? Rob :-) ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Knowing who is failing Auth Logins
Rob, I don't know if wireshark can decode, but depending of the LOGIN method attempted : AUTH PLAIN method In this case the login and password are just encoded (not encrypted) in Base64 in the next client packet after the server 334 response AUTH LOGIN method Again login and password ar just encoded in Base64 but send in two sequences (first 334 server, then client send login, then server send 334 then client send passord) In these to cases I think you could easily find on the net a Base64 'decoder' (probably a web page with a javascipt form doing the decode) :) if AUTH CRAM-MD5, it is more complicated, because it use a 'challenge' (encoded in base64), then MD5 encryption with the password as the key on the challenge More explanations here for these AUTH methods :http://www.samlogic.net/articles/smtp-commands-reference-auth.htm Expecting the 'client' use PLAIN or LOGIN to help you quickly :) Regards Francis -Message d'origine- De : xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org]De la part de Rob Arends Envoye : mercredi 19 janvier 2011 15:13 A : 'XMail Users Mailing List' Objet : Re: [xmail] Knowing who is failing Auth Logins Hi Francis, I had a look at the tcpdump, and I can see the LOGIN command, but the data is encoded. Is there an algorithm that will decode it? Obviously there is one IN xmail, but I'm no C programmer to knock something up !! I've got tcpdump saving to a cap file, then I'll install wireshark and view it a little easier - perhaps Wireshark will decode it for my viewing? Rob :-) -Original Message- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of Rob Arends Sent: Thursday, January 20, 2011 12:28 AM To: 'XMail Users Mailing List' Subject: Re: [xmail] Knowing who is failing Auth Logins Hi Francis, Yes I was afraid of that. I was hoping that someone had extended the source so that the log file reported the attempted username. Rob :-) -Original Message- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of fcxm...@aquinet.net Sent: Wednesday, January 19, 2011 6:33 PM To: 'XMail Users Mailing List' Subject: Re: [xmail] Knowing who is failing Auth Logins Hello Rob Nothing to do in xmail to get more information, except to run it in debug mode, perhabs Why not trying to schedule a tcpdump on smtp port 25 for the time period you want (5mn before xx:00 up to 5mn after xx:00 for some days) ? Then you could find more information in the tcp dump (like auth attempt and values, or exact smtp commands send) Francis -Message d'origine- De : xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org]De la part de Rob Arends Envoye : mardi 18 janvier 2011 14:43 A : xmail@xmailserver.org Objet : [xmail] Knowing who is failing Auth Logins Hello, I'm running xmail 1.27 on RHEL5.5 The SMTP logs are showing a single AUTH=EFAIL:TYPE=LOGIN every hour at xx:00 hours. It is coming from the same PC I believe, although IP changes, the ISP and area indicated by the rDNS suggests it is the same PC. Most mail clients attempt POP3 more than once an hour, so I'm suspicious. The logs don't indicate the username in the login attempt. Is there any way to report on the username that is being used in the attempt. If nothing else I can contact the user. However if it is a low speed dictionary attack, I'd like to be able to identify that and take some action. Any ideas? Rob :-) ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Knowing who is failing Auth Logins
Hi Francis, I have solved this, and then read your mail below. I basically did what you wrote. Wireshark did not decode for me, but I found that each attempt was the same user/password. I just used the text shown in Wireshark and pasted into some online base64 en/decoder. As they were all the same encoded text, I began to suspect a user and not an attack. Here's the egg It was my father's ADSL router attempting to send it's log to me. The same one I configured a couple of months ago to send me the log, so I could use the src IP in a poor man's dynamic-dns resolver. Except I typo'd the SMTP auth user name. :-( The key to it was that he usually leaves his PC on, and I was suspecting an infection of some kind, but today he is away and turned it off. So it started me thinking, if his PC is off, what could be sending from his IP address - the router !!! Thanks to all. (Still would be nice if the pop3/smtp logs showed the user-id used in a failed login attempt. It would help tracking the source down.) Rob :-) -Original Message- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of fcxm...@aquinet.net Sent: Thursday, January 20, 2011 4:28 AM To: 'XMail Users Mailing List' Subject: Re: [xmail] Knowing who is failing Auth Logins Rob, I don't know if wireshark can decode, but depending of the LOGIN method attempted : AUTH PLAIN method In this case the login and password are just encoded (not encrypted) in Base64 in the next client packet after the server 334 response AUTH LOGIN method Again login and password ar just encoded in Base64 but send in two sequences (first 334 server, then client send login, then server send 334 then client send passord) In these to cases I think you could easily find on the net a Base64 'decoder' (probably a web page with a javascipt form doing the decode) :) if AUTH CRAM-MD5, it is more complicated, because it use a 'challenge' (encoded in base64), then MD5 encryption with the password as the key on the challenge More explanations here for these AUTH methods :http://www.samlogic.net/articles/smtp-commands-reference-auth.htm Expecting the 'client' use PLAIN or LOGIN to help you quickly :) Regards Francis -Message d'origine- De : xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org]De la part de Rob Arends Envoye : mercredi 19 janvier 2011 15:13 A : 'XMail Users Mailing List' Objet : Re: [xmail] Knowing who is failing Auth Logins Hi Francis, I had a look at the tcpdump, and I can see the LOGIN command, but the data is encoded. Is there an algorithm that will decode it? Obviously there is one IN xmail, but I'm no C programmer to knock something up !! I've got tcpdump saving to a cap file, then I'll install wireshark and view it a little easier - perhaps Wireshark will decode it for my viewing? Rob :-) -Original Message- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of Rob Arends Sent: Thursday, January 20, 2011 12:28 AM To: 'XMail Users Mailing List' Subject: Re: [xmail] Knowing who is failing Auth Logins Hi Francis, Yes I was afraid of that. I was hoping that someone had extended the source so that the log file reported the attempted username. Rob :-) -Original Message- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of fcxm...@aquinet.net Sent: Wednesday, January 19, 2011 6:33 PM To: 'XMail Users Mailing List' Subject: Re: [xmail] Knowing who is failing Auth Logins Hello Rob Nothing to do in xmail to get more information, except to run it in debug mode, perhabs Why not trying to schedule a tcpdump on smtp port 25 for the time period you want (5mn before xx:00 up to 5mn after xx:00 for some days) ? Then you could find more information in the tcp dump (like auth attempt and values, or exact smtp commands send) Francis -Message d'origine- De : xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org]De la part de Rob Arends Envoye : mardi 18 janvier 2011 14:43 A : xmail@xmailserver.org Objet : [xmail] Knowing who is failing Auth Logins Hello, I'm running xmail 1.27 on RHEL5.5 The SMTP logs are showing a single AUTH=EFAIL:TYPE=LOGIN every hour at xx:00 hours. It is coming from the same PC I believe, although IP changes, the ISP and area indicated by the rDNS suggests it is the same PC. Most mail clients attempt POP3 more than once an hour, so I'm suspicious. The logs don't indicate the username in the login attempt. Is there any way to report on the username that is being used in the attempt. If nothing else I can contact the user. However if it is a low speed dictionary attack, I'd like to be able to identify that and take some action. Any ideas? Rob :-) ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail
[xmail] Knowing who is failing Auth Logins
Hello, I'm running xmail 1.27 on RHEL5.5 The SMTP logs are showing a single AUTH=EFAIL:TYPE=LOGIN every hour at xx:00 hours. It is coming from the same PC I believe, although IP changes, the ISP and area indicated by the rDNS suggests it is the same PC. Most mail clients attempt POP3 more than once an hour, so I'm suspicious. The logs don't indicate the username in the login attempt. Is there any way to report on the username that is being used in the attempt. If nothing else I can contact the user. However if it is a low speed dictionary attack, I'd like to be able to identify that and take some action. Any ideas? Rob :-) ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Knowing who is failing Auth Logins
Hello Rob Nothing to do in xmail to get more information, except to run it in debug mode, perhabs Why not trying to schedule a tcpdump on smtp port 25 for the time period you want (5mn before xx:00 up to 5mn after xx:00 for some days) ? Then you could find more information in the tcp dump (like auth attempt and values, or exact smtp commands send) Francis -Message d'origine- De : xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org]De la part de Rob Arends Envoye : mardi 18 janvier 2011 14:43 A : xmail@xmailserver.org Objet : [xmail] Knowing who is failing Auth Logins Hello, I'm running xmail 1.27 on RHEL5.5 The SMTP logs are showing a single AUTH=EFAIL:TYPE=LOGIN every hour at xx:00 hours. It is coming from the same PC I believe, although IP changes, the ISP and area indicated by the rDNS suggests it is the same PC. Most mail clients attempt POP3 more than once an hour, so I'm suspicious. The logs don't indicate the username in the login attempt. Is there any way to report on the username that is being used in the attempt. If nothing else I can contact the user. However if it is a low speed dictionary attack, I'd like to be able to identify that and take some action. Any ideas? Rob :-) ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail