distributed smtpauth attacks on account

[keat63]

I'm still learning, so this question may sound stupid.

How can a potential hacker perform a distributed smtpauth attack on an account that doesn't exist.?

lfd[27690]: 190.xx.xx.xxx (VE/Venezuela/190-xx-xxx-xx.dyn.dsl.cantv.net), 3 distributed smtpauth attacks on account [[email protected]] in the last 3600 secs - *Blocked in csf* [LF_DISTATTACK]

 

[cPanelMichael]

Hello

The following thread on the CSF forums includes discussion on this type of attack:

ConfigServer Community Forum • View topic - distributed SMTP Logins on account

Thank you.

 

[keat63]

I'm happy that CSF has blocked his IP.
I'm just surprised that considering the email account doesn't even exists, that this would even be logged.
I guess in hindsight that CSF is intercepting this before exim, but it doesn't sort of make sense.

It's like someone reporting a burglar, who's trying to break into a bank that isn't there.

 

[gavcom]

An attack is an attack rather look at it this way, the fact the CSF caught it before hitting your server is a good thing means that the attacker is getting now where and will try again but now his just guessing which is what they do mostly hence the term distributed attack because once they find a valid account then the really hacking begins. But seeing that CSF block that IP hell have to use another one and another and another and another. So make sure to set you CSF timeout for blocks to max time and not permanent else your firewall rules will be flooded

 

[keat63]

I'm currently testing with 1500 permanent firewall blocks, which is currently giving about a month before they start to rotate.

 

[Infopro]

Depending on your server, that might be a bit much. There is a warning there near that setting IIRC.
There are also some new settings for distributed attacks you might not have heard about:
New csf v7.63 | ConfigServer Services Blog