The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

attempted login with seemingly random charachters

Discussion in 'E-mail Discussions' started by keat63, May 8, 2015.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I've seen a lot of these attempted connections over night, from different IP's and country codes.

    2015-05-07 11:57:15 dovecot_plain authenticator failed for (admin-PC) [182.70.72.144]:26649: 535 Incorrect authentication data (set_id=oqdwf8qujt)

    What I don't understand is the set_id.
    Each attempt has been what appears to be random characters.
    Am i correct in assuming that they are trying to log in to an email account called "oqdwf8qujt"
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, that is correct. It's likely a brute force attempt to find a working email account/password combination.

    Thank you.
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Just to clarify would the set_id be an email address or password hacking attempt ?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's a username/password combination the brute force attack is attempting to guess. The method used can vary (e.g. trying one password with multiple email accounts vs. trying one email account with multiple passwords).

    Thank you.
     
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I'm currently set very very strict.
    One failed attempt and they are blocked anyway, so they soon run out of IP's.
    Plus all the email passwords are strong.
     
  6. cre8gr

    cre8gr Member

    Joined:
    Nov 5, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I'm getting hundred of emails from CSF today telling me the same thing:
    2015-05-12 12:10:09 dovecot_plain authenticator failed for (BECOY-PC) [SPAMMER IP]:53606: 535 Incorrect authentication data (set_id=email@mail.domain.com)

    It's from different countries and only on this domain. This domain doesn't have any mail account setup so he won't login. But I'm having hundreds upon hundreds of temporary blocks in CSF today... What's going on?
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,465
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You can modify your CSF alerts for these in this section of CSF:
    Login Failure Blocking and Alerts
     
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    One day last week i had in excess of 1500 in a 24 hour period.
    I don't know how many exactly, but my whole csf blacklist had been refreshed over night, so the actual fiugure could have run in to multiple thousands for all i know.
    Again, some of which were trying to log in to accounts that didn't exist
     
Loading...

Share This Page