distributed smtpauth attacks on account

keat63

Well-Known Member
Nov 20, 2014
1,899
253
113
cPanel Access Level
Root Administrator
I'm still learning, so this question may sound stupid.

How can a potential hacker perform a distributed smtpauth attack on an account that doesn't exist.?

lfd[27690]: 190.xx.xx.xxx (VE/Venezuela/190-xx-xxx-xx.dyn.dsl.cantv.net), 3 distributed smtpauth attacks on account [[email protected]] in the last 3600 secs - *Blocked in csf* [LF_DISTATTACK]
 

keat63

Well-Known Member
Nov 20, 2014
1,899
253
113
cPanel Access Level
Root Administrator
I'm happy that CSF has blocked his IP.
I'm just surprised that considering the email account doesn't even exists, that this would even be logged.
I guess in hindsight that CSF is intercepting this before exim, but it doesn't sort of make sense.

It's like someone reporting a burglar, who's trying to break into a bank that isn't there.
 

gavcom

Member
Mar 4, 2015
14
2
3
cPanel Access Level
Root Administrator
An attack is an attack rather look at it this way, the fact the CSF caught it before hitting your server is a good thing means that the attacker is getting now where and will try again but now his just guessing which is what they do mostly hence the term distributed attack because once they find a valid account then the really hacking begins. But seeing that CSF block that IP hell have to use another one and another and another and another. So make sure to set you CSF timeout for blocks to max time and not permanent else your firewall rules will be flooded
 

keat63

Well-Known Member
Nov 20, 2014
1,899
253
113
cPanel Access Level
Root Administrator
I'm currently testing with 1500 permanent firewall blocks, which is currently giving about a month before they start to rotate.