Distributed IPs attack dovecot_login SMTP over large timespan

Operating System & Version
centOS 7.9
cPanel & WHM Version
v110
S

simz8

Member
Feb 17, 2022
12
2
3
Greece
cPanel Access Level
Root Administrator
Hello ,
i am facing extensive smtp auth attacks by a large number of different IPs and a large timespan.

Please take a look at this part of the exim_mainlog which indicates some of the approx. 4000 dovecot failed logins over the last 5 days:


Line 117875: 2023-09-15 06:20:08 dovecot_login authenticator failed for ([111.56.185.86]) [111.56.185.86]:43158: 535 Incorrect authentication data (set_id=exports)
Line 117896: 2023-09-15 06:23:07 dovecot_login authenticator failed for ([121.142.146.167]) [121.142.146.167]:53842: 535 Incorrect authentication data ([email protected])
Line 117903: 2023-09-15 06:23:18 dovecot_login authenticator failed for (59-159-89-200.fibertel.com.ar) [200.89.159.59]:44618: 535 Incorrect authentication data ([email protected])
Line 117907: 2023-09-15 06:23:27 dovecot_login authenticator failed for ([196.203.231.220]) [196.203.231.220]:52656: 535 Incorrect authentication data (set_id=webmaster)
Line 117909: 2023-09-15 06:23:30 dovecot_login authenticator failed for ([117.160.3.137]) [117.160.3.137]:47140: 535 Incorrect authentication data (set_id=accounting)
Line 117938: 2023-09-15 06:34:15 dovecot_login authenticator failed for 110-25-88-184.adsl.fetnet.net [110.25.88.184]:40441: 535 Incorrect authentication data ([email protected])
Line 117942: 2023-09-15 06:34:40 dovecot_login authenticator failed for ([183.63.220.210]) [183.63.220.210]:51116: 535 Incorrect authentication data (set_id=lsimeridis)
Line 117955: 2023-09-15 06:35:19 dovecot_login authenticator failed for ([180.167.3.172]) [180.167.3.172]:33596: 535 Incorrect authentication data ([email protected])
Line 117958: 2023-09-15 06:35:38 dovecot_login authenticator failed for (abts-north-static-123.118.176.122.airtelbroadband.in) [122.176.118.123]:43681: 535 Incorrect authentication data (set_id=accounting)
Line 117983: 2023-09-15 06:38:20 dovecot_login authenticator failed for ([1.22.228.147]) [1.22.228.147]:4247: 535 Incorrect authentication data ([email protected])
Line 117986: 2023-09-15 06:38:43 dovecot_login authenticator failed for (102.156.170.222.broad.sh.hl.dynamic.163data.com.cn) [222.170.156.102]:49304: 535 Incorrect authentication data (set_id=s)
Line 118018: 2023-09-15 06:45:23 dovecot_login authenticator failed for (100.7.61.94.rev.vodafone.pt) [94.61.7.100]:26926: 535 Incorrect authentication data ([email protected])
Line 118022: 2023-09-15 06:45:38 dovecot_login authenticator failed for ([195.239.184.114]) [195.239.184.114]:53284: 535 Incorrect authentication data (set_id=e)
Line 118032: 2023-09-15 06:46:20 dovecot_login authenticator failed for ([112.26.44.68]) [112.26.44.68]:33300: 535 Incorrect authentication data ([email protected])
Line 118038: 2023-09-15 06:46:34 dovecot_login authenticator failed for bl21-160-222.dsl.telepac.pt [2.82.160.222]:54298: 535 Incorrect authentication data (set_id=welcome)
Line 118054: 2023-09-15 06:49:15 dovecot_login authenticator failed for (mail.indebo.in) [122.160.143.110]:55385: 535 Incorrect authentication data ([email protected])
Line 118060: 2023-09-15 06:49:31 dovecot_login authenticator failed for ([116.132.42.170]) [116.132.42.170]:57562: 535 Incorrect authentication data (set_id=welcome)
Line 118087: 2023-09-15 06:52:00 dovecot_login authenticator failed for ([103.146.0.135]) [103.146.0.135]:56872: 535 Incorrect authentication data ([email protected])
Line 118092: 2023-09-15 06:52:16 dovecot_login authenticator failed for (168-194-80-125.celerium.net.br) [168.194.80.125]:4612: 535 Incorrect authentication data (set_id=lsimeridis)
Line 118098: 2023-09-15 06:54:02 dovecot_login authenticator failed for ([103.181.14.250]) [103.181.14.250]:38844: 535 Incorrect authentication data ([email protected])
Line 118101: 2023-09-15 06:54:10 dovecot_login authenticator failed for 107.40.3.213.static.wline.lns.sme.cust.swisscom.ch [213.3.40.107]:43582: 535 Incorrect authentication data ([email protected])
Line 118104: 2023-09-15 06:54:23 dovecot_login authenticator failed for (187-93-74-213.customer.tdatabrasil.net.br) [187.50.67.114]:36717: 535 Incorrect authentication data (set_id=abuse)
Line 118110: 2023-09-15 06:55:16 dovecot_login authenticator failed for ([82.102.157.161]) [82.102.157.161]:37405: 535 Incorrect authentication data ([email protected])
Line 118115: 2023-09-15 06:55:26 dovecot_login authenticator failed for (azteca-comunicaciones.com) [186.179.100.229]:1279: 535 Incorrect authentication data (set_id=randomusername)
Line 118132: 2023-09-15 06:57:22 dovecot_login authenticator failed for (vipturbo.com.br) [191.36.156.53]:42420: 535 Incorrect authentication data ([email protected])
Line 118134: 2023-09-15 06:57:36 dovecot_login authenticator failed for mail.simplexinfra.co.in [115.248.74.208]:40317: 535 Incorrect authentication data (set_id=mailer-daemon)
Line 118159: 2023-09-15 07:01:27 dovecot_login authenticator failed for h-94-254-12-27.a268.priv.bahnhof.se [94.254.12.27]:37264: 535 Incorrect authentication data ([email protected])
Line 118162: 2023-09-15 07:01:42 dovecot_login authenticator failed for ([120.201.248.7]) [120.201.248.6]:2363: 535 Incorrect authentication data (set_id=webmaster)
Line 118167: 2023-09-15 07:02:09 dovecot_login authenticator failed for ([223.84.248.209]) [223.84.248.209]:1430: 535 Incorrect authentication data ([email protected])
Line 118172: 2023-09-15 07:02:25 dovecot_login authenticator failed for ([113.107.244.103]) [14.155.212.100]:34788: 535 Incorrect authentication data (set_id=k.nancy)
Line 118175: 2023-09-15 07:04:43 dovecot_login authenticator failed for (m121-202-193-32.smartone.com) [121.202.193.32]:35514: 535 Incorrect authentication data ([email protected])
Line 118179: 2023-09-15 07:04:54 dovecot_login authenticator failed for ([60.172.54.36]) [60.172.54.36]:47256: 535 Incorrect authentication data (set_id=mailer-daemon)
Line 118193: 2023-09-15 07:06:53 dovecot_login authenticator failed for ([219.159.229.112]) [219.159.229.112]:34905: 535 Incorrect authentication data ([email protected])
Line 118197: 2023-09-15 07:07:07 dovecot_login authenticator failed for (fibra-a-la-casa-189-226.jdimax.com) [190.93.189.226]:34827: 535 Incorrect authentication data ([email protected])
Line 118203: 2023-09-15 07:07:23 dovecot_login authenticator failed for (120.245.223.60.adsl-pool.sx.cn) [60.223.245.120]:43068: 535 Incorrect authentication data (set_id=sav)
Line 118205: 2023-09-15 07:07:28 dovecot_login authenticator failed for ([111.23.117.97]) [111.23.117.97]:47113: 535 Incorrect authentication data (set_id=welcome)
Line 118213: 2023-09-15 07:09:46 dovecot_login authenticator failed for (abts-kk-static-192.252.166.122.airtelbroadband.in) [122.166.252.192]:33800: 535 Incorrect authentication data ([email protected])
Line 118216: 2023-09-15 07:09:59 dovecot_login authenticator failed for ([129.146.164.36]) [129.146.164.36]:42231: 535 Incorrect authentication data (set_id=n.kor)
Line 118217: 2023-09-15 07:10:01 dovecot_login authenticator failed for ([58.218.45.38]) [58.218.45.38]:35791: 535 Incorrect authentication data ([email protected])
Line 118229: 2023-09-15 07:11:41 dovecot_login authenticator failed for ([203.91.121.231]) [203.91.121.231]:42142: 535 Incorrect authentication data ([email protected])
Line 118232: 2023-09-15 07:11:59 dovecot_login authenticator failed for (vipturbo.com.br) [191.36.147.25]:44499: 535 Incorrect authentication data (set_id=accounting)
Line 118235: 2023-09-15 07:12:23 dovecot_login authenticator failed for ([61.81.4.43]) [61.81.4.43]:51986: 535 Incorrect authentication data ([email protected])
Line 118239: 2023-09-15 07:12:35 dovecot_login authenticator failed for ([39.165.99.219]) [39.165.99.219]:35693: 535 Incorrect authentication data (set_id=mailer-daemon)
Line 118245: 2023-09-15 07:13:39 dovecot_login authenticator failed for 93-42-155-2.ip87.fastwebnet.it [93.42.155.2]:49930: 535 Incorrect authentication data ([email protected])
Line 118249: 2023-09-15 07:13:51 dovecot_login authenticator failed for ([193.200.116.76]) [193.200.116.76]:57910: 535 Incorrect authentication data (set_id=k.krit)
Line 118254: 2023-09-15 07:14:38 dovecot_login authenticator failed for ([61.143.59.18]) [61.143.59.18]:42181: 535 Incorrect authentication data
Line 118258: 2023-09-15 07:14:53 dovecot_login authenticator failed for ([171.212.103.245]) [171.212.103.245]:37002: 535 Incorrect authentication data ([email protected])
Line 118261: 2023-09-15 07:15:09 dovecot_login authenticator failed for (dynamic-ip-adsl.metfone.com.kh) [175.100.107.238]:44302: 535 Incorrect authentication data (set_id=kor)
Line 118301: 2023-09-15 07:17:11 dovecot_login authenticator failed for ([103.159.21.115]) [103.159.21.114]:56234: 535 Incorrect authentication data ([email protected])
Line 118304: 2023-09-15 07:17:29 dovecot_login authenticator failed for 111-70-5-129.emome-ip.hinet.net [111.70.5.129]:36944: 535 Incorrect authentication data (set_id=exports)
Line 118318: 2023-09-15 07:19:33 dovecot_login authenticator failed for ([114.107.225.104]) [114.107.225.104]:48236: 535 Incorrect authentication data ([email protected])
Line 118322: 2023-09-15 07:19:55 dovecot_login authenticator failed for ([138.2.32.177]) [36.161.239.121]:37396: 535 Incorrect authentication data (set_id=sav)
Line 118374: 2023-09-15 07:25:05 dovecot_login authenticator failed for (m121-202-200-207.smartone.com) [121.202.200.207]:53882: 535 Incorrect authentication data ([email protected])
Line 118379: 2023-09-15 07:25:22 dovecot_login authenticator failed for (177.76.245.49.unknown.m1.com.sg) [49.245.76.177]:34753: 535 Incorrect authentication data (set_id=menteti)
Line 118381: 2023-09-15 07:25:31 dovecot_login authenticator failed for ([139.198.16.118]) [139.198.16.118]:51210: 535 Incorrect authentication data ([email protected])
Line 118391: 2023-09-15 07:25:51 dovecot_login authenticator failed for ([36.97.144.36]) [36.97.144.36]:47505: 535 Incorrect authentication data (set_id=tri)
Line 118395: 2023-09-15 07:26:38 dovecot_login authenticator failed for (abts-north-static-241.26.176.122.airtelbroadband.in) [122.176.26.241]:52612: 535 Incorrect authentication data ([email protected])
Line 118398: 2023-09-15 07:26:47 dovecot_login authenticator failed for (88-149-198-156.static.eolo.it) [88.149.198.156]:39192: 535 Incorrect authentication data (set_id=mailer-daemon)
Line 118402: 2023-09-15 07:27:34 dovecot_login authenticator failed for ([222.218.17.199]) [222.218.17.199]:56503: 535 Incorrect authentication data ([email protected])
Line 118405: 2023-09-15 07:27:55 dovecot_login authenticator failed for (abts-tn-static-124.232.165.122.airtelbroadband.in) [49.204.132.90]:64302: 535 Incorrect authentication data (set_id=lsimeridis)
Line 118535: 2023-09-15 07:37:11 dovecot_login authenticator failed for (nsg-corporate-212.230.187.122.airtel.in) [122.187.230.212]:34317: 535 Incorrect authentication data ([email protected])
Line 118544: 2023-09-15 07:37:34 dovecot_login authenticator failed for ([112.26.99.92]) [112.26.99.92]:39886: 535 Incorrect authentication data
Line 118547: 2023-09-15 07:37:42 dovecot_login authenticator failed for ([218.56.153.66]) [218.56.155.106]:40863: 535 Incorrect authentication data ([email protected])
Line 118553: 2023-09-15 07:37:46 dovecot_login authenticator failed for (nsg-corporate-174.229.187.122.airtel.in) [122.187.229.174]:54132: 535 Incorrect authentication data (set_id=hr)
Line 118557: 2023-09-15 07:38:02 dovecot_login authenticator failed for ([39.152.8.214]) [39.152.8.214]:59976: 535 Incorrect authentication data (set_id=k.nancy)
Line 118570: 2023-09-15 07:42:31 dovecot_login authenticator failed for (18.70.4.122.broad.qd.sd.dynamic.163data.com.cn) [122.4.70.58]:45998: 535 Incorrect authentication data ([email protected])
Line 118574: 2023-09-15 07:43:03 dovecot_login authenticator failed for ([221.0.111.113]) [221.0.111.113]:51650: 535 Incorrect authentication data (set_id=welcome)
Line 118582: 2023-09-15 07:45:18 dovecot_login authenticator failed for (dhcp.tripleplay.in) [103.253.175.12]:38046: 535 Incorrect authentication data ([email protected])
Line 118589: 2023-09-15 07:45:50 dovecot_login authenticator failed for ([115.23.23.94]) [115.23.23.94]:45480: 535 Incorrect authentication data (set_id=tri)
Line 118604: 2023-09-15 07:46:52 dovecot_login authenticator failed for ([165.169.72.234]) [165.169.72.234]:57020: 535 Incorrect authentication data ([email protected])
Line 118609: 2023-09-15 07:47:04 dovecot_login authenticator failed for ([41.175.29.82]) [41.175.29.82]:57869: 535 Incorrect authentication data (set_id=domain.com)
Line 118611: 2023-09-15 07:47:17 dovecot_login authenticator failed for (gen-173-095-235-227.biz.spectrum.com) [173.95.235.227]:35440: 535 Incorrect authentication data ([email protected])
Line 118614: 2023-09-15 07:47:35 dovecot_login authenticator failed for (138.219.244.10.static.softdados.net) [138.219.244.10]:50064: 535 Incorrect authentication data (set_id=accounting)
Line 118635: 2023-09-15 07:49:10 dovecot_login authenticator failed for ([58.254.188.225]) [58.254.188.225]:51231: 535 Incorrect authentication data ([email protected])
Line 118642: 2023-09-15 07:49:36 dovecot_login authenticator failed for ([115.46.88.68]) [115.46.88.68]:47400: 535 Incorrect authentication data (set_id=k.krit)
Line 118644: 2023-09-15 07:49:44 dovecot_login authenticator failed for (host103-163-100-78.entirebroadband.com) [103.163.100.78]:44726: 535 Incorrect authentication data ([email protected])
Line 118648: 2023-09-15 07:50:03 dovecot_login authenticator failed for ([211.105.186.192]) [211.105.186.192]:45002: 535 Incorrect authentication data (set_id=welcome)
Line 118668: 2023-09-15 07:50:42 dovecot_login authenticator failed for (static.vnpt.vn) [117.4.201.6]:63265: 535 Incorrect authentication data ([email protected])
Line 118671: 2023-09-15 07:50:58 dovecot_login authenticator failed for 111-70-15-198.emome-ip.hinet.net [111.70.15.198]:60341: 535 Incorrect authentication data (set_id=menteti)
Line 118687: 2023-09-15 07:51:50 dovecot_login authenticator failed for ([103.145.27.106]) [103.145.27.1]:48782: 535 Incorrect authentication data ([email protected])
Line 118691: 2023-09-15 07:52:04 dovecot_login authenticator failed for ([110.242.49.234]) [110.242.49.234]:33535: 535 Incorrect authentication data (set_id=exports)
Line 118779: 2023-09-15 08:05:02 dovecot_login authenticator failed for (ip-201-168-130-242.marcatel.net.mx) [201.168.130.242]:37164: 535 Incorrect authentication data ([email protected])
Line 118781: 2023-09-15 08:05:03 dovecot_login authenticator failed for (56.188.165.124.adsl-pool.sx.cn) [116.135.13.165]:44984: 535 Incorrect authentication data ([email protected])
Line 118784: 2023-09-15 08:05:11 dovecot_login authenticator failed for (8.70.4.122.broad.qd.sd.dynamic.163data.com.cn) [122.4.70.58]:33166: 535 Incorrect authentication data ([email protected])
Line 118793: 2023-09-15 08:05:21 dovecot_login authenticator failed for ([106.51.64.74]) [106.51.64.74]:42342: 535 Incorrect authentication data (set_id=welcome)
Line 118798: 2023-09-15 08:05:26 dovecot_login authenticator failed for ([111.40.89.207]) [111.40.89.207]:43555: 535 Incorrect authentication data (set_id=webmaster)
Line 118801: 2023-09-15 08:05:34 dovecot_login authenticator failed for ([115.236.24.10]) [115.236.24.10]:50979: 535 Incorrect authentication data (set_id=welcome)
Line 118803: 2023-09-15 08:05:36 dovecot_login authenticator failed for ([211.226.37.220]) [211.226.37.220]:45342: 535 Incorrect authentication data ([email protected])
Line 118806: 2023-09-15 08:05:53 dovecot_login authenticator failed for cpe-70-114-142-208.austin.res.rr.com [70.114.142.208]:48350: 535 Incorrect authentication data (set_id=exports)
Line 118855: 2023-09-15 08:07:53 dovecot_login authenticator failed for ([203.90.233.59]) [173.248.245.77]:60470: 535 Incorrect authentication data ([email protected])
Line 118860: 2023-09-15 08:08:31 dovecot_login authenticator failed for ([113.203.194.223]) [113.203.194.223]:43554: 535 Incorrect authentication data (set_id=randomusername)
Line 118864: 2023-09-15 08:08:53 dovecot_login authenticator failed for ([1.254.140.135]) [1.254.140.135]:53920: 535 Incorrect authentication data (set_id=randomusername)
Line 118987: 2023-09-15 08:15:43 dovecot_login authenticator failed for ([61.183.43.155]) [61.183.43.155]:52726: 535 Incorrect authentication data ([email protected])
Line 118991: 2023-09-15 08:15:56 dovecot_login authenticator failed for ([200.174.29.180]) [200.174.29.180]:31582: 535 Incorrect authentication data (set_id=postmaster)
Line 119149: 2023-09-15 08:21:35 dovecot_login authenticator failed for ([61.81.143.68]) [61.81.143.68]:44354: 535 Incorrect authentication data ([email protected])
Line 119166: 2023-09-15 08:21:48 dovecot_login authenticator failed for ([14.51.14.47]) [14.51.14.47]:42562: 535 Incorrect authentication data (set_id=postmaster)
Line 119211: 2023-09-15 08:22:55 dovecot_login authenticator failed for ([120.195.116.114]) [120.195.116.114]:7610: 535 Incorrect authentication data ([email protected])
Line 119214: 2023-09-15 08:23:00 dovecot_login authenticator failed for 51.42.72.34.bc.googleusercontent.com [34.72.42.51]:52101: 535 Incorrect authentication data ([email protected])
Line 119233: 2023-09-15 08:23:17 dovecot_login authenticator failed for ([164.164.112.10]) [164.164.112.10]:45924: 535 Incorrect authentication data (set_id=k.nancy)
Line 119234: 2023-09-15 08:23:18 dovecot_login authenticator failed for ([112.5.10.207]) [112.5.10.207]:45517: 535 Incorrect authentication data (set_id=accounting)
Line 119512: 2023-09-15 08:29:54 dovecot_login authenticator failed for (201-174-58-110.transtelco.net) [201.174.58.110]:38922: 535 Incorrect authentication data ([email protected])
Line 119515: 2023-09-15 08:30:09 dovecot_login authenticator failed for (abts-mum-static-207.112.70.182.airtelbroadband.in) [182.70.112.207]:53190: 535 Incorrect authentication data (set_id=k.krit)
Line 119557: 2023-09-15 08:33:25 dovecot_login authenticator failed for ([106.91.215.99]) [106.91.215.99]:41172: 535 Incorrect authentication data ([email protected])
Line 119561: 2023-09-15 08:33:39 dovecot_login authenticator failed for (nsg-corporate-80.229.187.122.airtel.in) [122.187.229.80]:50552: 535 Incorrect authentication data (set_id=welcome)
Line 119657: 2023-09-15 08:38:56 dovecot_login authenticator failed for ([176.121.215.2]) [176.121.215.2]:53062: 535 Incorrect authentication data ([email protected])
Line 119673: 2023-09-15 08:39:18 dovecot_login authenticator failed for ([223.84.248.209]) [223.84.248.209]:1561: 535 Incorrect authentication data (set_id=sav)
Line 119689: 2023-09-15 08:41:09 dovecot_login authenticator failed for ([196.28.226.66]) [196.28.226.66]:56066: 535 Incorrect authentication data ([email protected])
Line 119695: 2023-09-15 08:41:26 dovecot_login authenticator failed for (103.249.163.124.adsl-pool.sx.cn) [124.163.249.13]:28560: 535 Incorrect authentication data (set_id=accounting)
Line 119761: 2023-09-15 08:45:04 dovecot_login authenticator failed for (183.70.4.122.broad.qd.sd.dynamic.163data.com.cn) [122.4.70.58]:41610: 535 Incorrect authentication data ([email protected])
Line 119773: 2023-09-15 08:45:25 dovecot_login authenticator failed for ([103.146.50.91]) [103.146.50.91]:59586: 535 Incorrect authentication data (set_id=abuse)
Line 119781: 2023-09-15 08:46:04 dovecot_login authenticator failed for ([61.153.208.38]) [61.153.208.38]:13077: 535 Incorrect authentication data ([email protected])


The crazy thing is that the same IP is used only a few times or even only a single time.

And even if it's used more than one time the attempts (coming from that particular IP), are spreaded over a timespan of many hours or even days.

What can i do to stop this?

Increasing the LF_INTERVAL and lowering the LF_SMTPAUTH (to 2 or 3) could only stop only a small part of these attempts.

I have strong passwords at my email accounts and besided most of the usernames they try do not even exist.

Is there any other way to force stop these attacks?

I 've done most of the actions mentioned here : How to Prevent Email Abuse | cPanel & WHM Documentation

but they won't stop.
 
Last edited by a moderator:
Q

quietFinn

Well-Known Member
Feb 4, 2006
2,040
551
493
Finland
cPanel Access Level
Root Administrator
simz8 said:
Hello ,
i am facing extensive smtp auth attacks by a large number of different IPs and a large timespan.

Please take a look at this part of the exim_mainlog which indicates some of the approx. 4000 dovecot failed logins over the last 5 days:
Click to expand...
4000 in 5 days is abut 33 per hour... for my opinion that is not much, I'd say it's pretty normal :rolleyes:
 
cPRex

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
16,570
2,612
363
cPanel Access Level
Root Administrator
I am going to agree with @quietFinn - this seems like normal activity. If you have a service open to the public, like IMAP or SSH, you should expect this type of traffic to happen.

On my personal server today, which really only has two active websites and 1 active email account, I see 126 failed attempts in 8 hours, so a very similar number to your machine:

Code: 
[root@host /]# grep "authenticator failed" /var/log/exim_mainlog | grep 2023-09-15 | wc -l
126
Most of them are random addresses, such as "[email protected]" or "[email protected]" or something similar.

As long as you have secure passwords and have Brute Force Detection enabled, the system will be fine.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
D Spam sent from standard node via distributed mail account Email 6
D Distributed email to linked server safe to delete? Email 3
R Can't login to Dovecot during distributed imap login attack Email 2
keat63 distributed smtpauth attacks on account Email 5
C distributed smtpauth attack Email 2
Similar threads
Spam sent from standard node via distributed mail account
Distributed email to linked server safe to delete?
Can't login to Dovecot during distributed imap login attack
distributed smtpauth attacks on account
distributed smtpauth attack
Top Bottom