Interesting (for me) new type of account ... / 2010-04-05

2010-04-05 Interesting (for me) new type of account ...
Interesting (for me) new type of account guessing attack: trying smtp accounts. I saw the following in the maillogs:
Apr  5 22:33:59 greenblatt sm-mta[19364]: o35KXpPO019364: [92.241.190.15]: possible SMTP attack: command=AUTH, count=7
Apr  5 22:34:08 greenblatt sm-mta[19082]: o35KVkYF019082: [92.241.190.15] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
I was wondering what was happening on smtp level and used tcpdump to find out:
220 kzdoos.xs4all.nl ESMTP Sendmail 8.14.2/8.14.2/Debian-2build1; Mon, 5 Apr 2010 20:47:05 +0200; (No UCE/UBE) logging access from: [92.241.190.15](FAIL)-[92.241.190.15]
EHLO jtrmuwev.com
250-kzdoos.xs4all.nl Hello [92.241.190.15], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
AUTH CRAM-MD5
334 PDI3MjU0Mjc5OC4xMjIwMjEwMkBremRvb3MueHM0YWxsLm5sPg==
MTExIDk5ODY0YTY5YWI3ODIxMmI3YzgxMjhkOGFmNWM4MjUw
535 5.7.0 authentication failed
535 5.7.0 authentication failed
RSET
250 2.0.0 Reset state
AUTH CRAM-MD5
334 PDEyODQ3MDgxMTYuMTIyMDIxMDNAa3pkb29zLnhzNGFsbC5ubD4=
MTExIDU2YmU3OGYwMGE1MTA5ZmI4OWZmMDFhOGRmMDdjMTBh
535 5.7.0 authentication failed
535 5.7.0 authentication failed
RSET
250 2.0.0 Reset state
AUTH CRAM-MD5
334 PDE4OTQxOTc2MS4xMjIwMjEwNEBremRvb3MueHM0YWxsLm5sPg==
MTExIDE4YmEyYWY2M2MyYjA2Y2Q4OWUxMDE4Y2E2NjY3MmM1
535 5.7.0 authentication failed
The base64 encoded bits decode to:
<272542798.12202102@kzdoos.xs4all.nl>
111 99864a69ab78212b7c8128d8af5c8250

<1284708116.12202103@kzdoos.xs4all.nl>
111 56be78f00a5109fb89ff01a8df07c10a

<189419761.12202104@kzdoos.xs4all.nl>
111 18ba2af63c2b06cd89e1018ca66672c5
Which is normal challenge-response for CRAM-MD5 authentication. So my best guess is either trying to find valid accounts for other attacks in a way which does not hit a rate limiter (yet) which would mean a targeted attack or just a way to find an account for relaying spam.

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.55 2021/11/09 13:09:49 koos Exp $ in 0.006392 seconds.