snork.ca ... making kittens cry since 2001
homeabouttoscanaryrssmansvalidatecontact

IMAP Hacking Losers 2017-03-12


Having recently moved my mail and web services back to a machine that is completely under my control, I have been monitoring my logs a little closer than usual. One of the things I have noticed, is that there's the occasional attempt to hack passwords via IMAP login. Fortunately, they're getting nowhere with it. Here's what I see when I tail my logs:

==> /var/log/dovecot.log <==
Mar 12 14:38:41 auth: Info: passwd-file(snorkd@snork.ca,210.56.23.100,<ppVA54xK7gDSOBdk>): Password mismatch

==> /var/log/fail2ban.log <==
2017-03-12 14:38:42,376 fail2ban.actions[540]: WARNING [fu_dovecot_password] Ban 210.56.23.100

==> /var/log/mail.log <==
Mar 12 14:38:42 mail postfix/pickup[6803]: 8286E161167: uid=0 from=<root>
Mar 12 14:38:42 mail postfix/cleanup[6887]: 8286E161167: message-id=<20170312183842.8286E161167@mail.snork.ca>
Mar 12 14:38:42 mail opendkim[495]: 8286E161167: no signing table match for 'root@mail.snork.ca'
Mar 12 14:38:42 mail opendkim[495]: 8286E161167: no signature data
Mar 12 14:38:42 mail postfix/qmgr[4635]: 8286E161167: from=<root@mail.snork.ca>, size=457, nrcpt=1 (queue active)
Mar 12 14:38:42 mail postfix/virtual[6890]: 8286E161167: to=<snorkd@snork.ca>, orig_to=<snorkd@snork.ca>, relay=virtual, delay=0.18, delays=0.13/0.05/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Mar 12 14:38:42 mail postfix/qmgr[4635]: 8286E161167: removed

==> /var/log/dovecot.log <==
Mar 12 14:39:12 auth: Info: passwd-file(snorkd,212.3.183.83,<43Ud6YxKvADUA7dT>): unknown user

==> /var/log/fail2ban.log <==
2017-03-12 14:39:13,551 fail2ban.actions[540]: WARNING [fu_dovecot_password] Ban 212.3.183.83

==> /var/log/mail.log <==
Mar 12 14:39:13 mail postfix/pickup[6803]: 9F9D416037F: uid=0 from=<root>
Mar 12 14:39:13 mail postfix/cleanup[6887]: 9F9D416037F: message-id=<20170312183913.9F9D416037F@mail.snork.ca>
Mar 12 14:39:13 mail opendkim[495]: 9F9D416037F: no signing table match for 'root@mail.snork.ca'
Mar 12 14:39:13 mail opendkim[495]: 9F9D416037F: no signature data
Mar 12 14:39:13 mail postfix/qmgr[4635]: 9F9D416037F: from=<root@mail.snork.ca>, size=455, nrcpt=1 (queue active)
Mar 12 14:39:13 mail postfix/virtual[6890]: 9F9D416037F: to=<snorkd@snork.ca>, orig_to=<snorkd@snork.ca>, relay=virtual, delay=0.02, delays=0.02/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Mar 12 14:39:13 mail postfix/qmgr[4635]: 9F9D416037F: removed

altext The swamp where I walk my dog.

In short, what you see above is two attempts, about a half minute apart, from different computers, to hack an account on my mail server. 210.56.23.100 belongs to an Internet provider in Pakistan and 212.3.183.83 belongs to an ISP in Italy. My assumption would be that they are virus infected computers owned by unknowing people. But wait, there's more. The fail2ban lines show that as soon as the log entries appear, a firewall rule is being created that blocks that IP address from further attempts (for one hour). Then, my server emails me to tell me that the password failure happened and the IP was added to the block list. Basically, further attempts are shutdown within seconds. Sorry losers.

Greetings Earthling,

210.56.23.100 triggered fu_dovecot_password.

Regards,
The Management

I may ask the other people I host email for if they mind me blocking all attempts to log in from any country other than Canada. As long as they are not expecting to be out of the country and accessing their mail it shouldn't be a big deal. I guess I'll just watch and see how annoying it gets.

Made using Notepad++ & FastStone. Hosted on Debian with nginx & php. Powered by North Korean mushrooms.