Hi,

welcome to the world of mail! Yes, these are AUTH LOGIN attacks.
We have a lot of them in our production environment....

These attacks are really silly attacks, cause they just want to guess user and 
password.
Because there are no "standard users" with "standard passwords" in James, this 
is not very effective.
The attacks could be ignored, if you have strong passwords.

But I personally don't like them, and so I just block them. ;-)
We block any IP address for 7 days (604800 seconds), if they try to do a failed 
AUTH LOGIN attempt more than 1 times.
Maybe 7 days is a little bit strict, but, ok, we do not have mailboxes, and we 
do not have AUTH LOGIN.

For that we use "fail2ban", running on linux.
Fail2ban just scans logfiles, and blocks any IP address (using iptables) 
completely if an attempt occurred more than x times.

We did a very short extension to James2 (cause James2 did not log the IP on an 
AUTH LOGIN).
The code is currently not on github, sorry, just did not have time to push it 
there.
But James3 do offer the IP address, so Fail2ban could be used without changing 
the AUTH handler.

I did a documentation, please see:
http://wiki.intarsys.de/confluence/display/SMG/Firewall
(Sorry, most pages there are in German language, but this single description is 
in English. Now.)
This is not an advertisement. It is just documented there.

You need to change the regex for James3, just work to do.
Just to think about.

Best regards
Bernd Waibel
-----Urspr√ľngliche Nachricht-----
Von: li hai ming [mailto:haiming...@outlook.com] 
Gesendet: Mittwoch, 21. September 2016 08:06
An: 'James Users List' <server-user@james.apache.org>
Betreff: strange AUTH LOGIN attempts

Hi,

We now have v3-beta4 up and running.


However from james-server.log, we found there are a lot of unexpected AUTH 
LOGIN attempts from various strange sources.



Are those the attacks?



suggestion?


##

INFO  00:06:22,975 | james.smtpserver | Id='2098591536' User='' Connection 
established from 187.252.93.3

INFO  00:06:26,133 | james.smtpserver | Id='2098591536' User='' Connection 
closed for 187.252.93.3

INFO  00:15:33,880 | james.smtpserver | Id='509431079' User='' Connection 
established from 61.178.63.245

ERROR 00:15:34,296 | james.smtpserver | Id='509431079' User='' AUTH method 
LOGIN failed from cyrus@61.178.63.245<mailto:cyrus@61.178.63.245>

INFO  00:15:34,386 | james.smtpserver | Id='509431079' User='' Connection 
closed for 61.178.63.245

INFO  00:21:14,836 | james.pop3server | Id='49137796' User='' Connection 
established from 80.82.64.102

INFO  00:21:16,996 | james.pop3server | Id='49137796' 
User='i...@sinceritylife.com' Connection closed for 80.82.64.102

INFO  00:23:54,475 | james.pop3server | Id='918936989' User='' Connection 
established from 103.7.29.243

INFO  00:23:54,484 | james.pop3server | Id='918936989' User='' Connection 
closed for 103.7.29.243

INFO  00:29:19,918 | james.smtpserver | Id='413543743' User='' Connection 
established from 104.46.59.55

ERROR 00:29:21,673 | james.smtpserver | Id='413543743' User='' AUTH method 
LOGIN failed from postmaster@104.46.59.55<mailto:postmaster@104.46.59.55>

INFO  00:29:22,108 | james.smtpserver | Id='413543743' User='' Connection 
closed for 104.46.59.55

INFO  00:30:31,950 | james.smtpserver | Id='716855054' User='' Connection 
established from 189.209.180.242

ERROR 00:30:34,510 | james.smtpserver | Id='716855054' User='' AUTH method 
LOGIN failed from test@189.209.180.242<mailto:test@189.209.180.242>

INFO  00:30:34,902 | james.smtpserver | Id='716855054' User='' Connection 
closed for 189.209.180.242

INFO  00:31:35,160 | james.smtpserver | Id='610922472' User='' Connection 
established from 201.229.95.217

INFO  00:31:40,163 | james.smtpserver | Id='610922472' User='' Connection 
closed for 201.229.95.217

INFO  00:32:41,364 | james.smtpserver | Id='1318912965' User='' Connection 
established from 61.178.63.245

ERROR 00:32:41,763 | james.smtpserver | Id='1318912965' User='' AUTH method 
LOGIN failed from scanner@61.178.63.245<mailto:scanner@61.178.63.245>

INFO  00:32:41,865 | james.smtpserver | Id='1318912965' User='' Connection 
closed for 61.178.63.245

INFO  00:34:57,947 | james.smtpserver | Id='270448469' User='' Connection 
established from 190.5.243.186

ERROR 00:34:59,908 | james.smtpserver | Id='270448469' User='' AUTH method 
LOGIN failed from aa@190.5.243.186<mailto:aa@190.5.243.186>

INFO  00:35:00,429 | james.smtpserver | Id='270448469' User='' Connection 
closed for 190.5.243.186

INFO  00:36:05,353 | james.smtpserver | Id='452588681' User='' Connection 
established from 118.71.251.67

ERROR 00:36:05,792 | james.smtpserver | Id='452588681' User='' AUTH method 
LOGIN failed from test1@118.71.251.67<mailto:test1@118.71.251.67>

INFO  00:36:05,899 | james.smtpserver | Id='452588681' User='' Connection 
closed for 118.71.251.67

INFO  00:37:12,101 | james.smtpserver | Id='1188738536' User='' Connection 
established from 146.164.144.232

ERROR 00:37:17,645 | james.smtpserver | Id='1188738536' User='' AUTH method 
LOGIN failed from reception@146.164.144.232<mailto:reception@146.164.144.232>

INFO  00:37:18,952 | james.smtpserver | Id='1188738536' User='' Connection 
closed for 146.164.144.232

INFO  00:38:21,867 | james.smtpserver | Id='464398686' User='' Connection 
established from 187.51.48.114

ERROR 00:38:23,612 | james.smtpserver | Id='464398686' User='' AUTH method 
LOGIN failed from backup@187.51.48.114<mailto:backup@187.51.48.114>

INFO  00:38:24,046 | james.smtpserver | Id='464398686' User='' Connection 
closed for 187.51.48.114

INFO  00:39:35,275 | james.smtpserver | Id='1748387045' User='' Connection 
established from 187.51.48.114

ERROR 00:39:37,443 | james.smtpserver | Id='1748387045' User='' AUTH method 
LOGIN failed from user@187.51.48.114<mailto:user@187.51.48.114>

##


---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org

Reply via email to