POP3 password scanning

To:	qmail@list.cr.yp.to
Subject:	POP3 password scanning
From:	Quinn Comendant <quinn@strangecode.com>
Date:	Thu, 25 Jan 2007 14:24:47 -0800
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	gmail-qmail@securepoint.com
Delivered-to:	sp.com.list@gmail.com
Delivered-to:	mailing list qmail@list.cr.yp.to
Mailing-list:	contact qmail-help@list.cr.yp.to; run by ezmlm

I found 8000+ entries in my logs like this all from the same IP:

2007-01-21 09:51:25.570281500 tcpserver: status: 200/200
2007-01-21 09:51:25.570410500 tcpserver: pid 28241 from 24.220.50.36
2007-01-21 09:51:25.571261500 tcpserver: ok 28241 
two.strangecode.com:72.3.142.43:110 
host-36-50-220-24.midco.net:24.220.50.36::41979
2007-01-21 09:51:25.571839500 tcpserver: end 28241 status 256
2007-01-21 09:51:25.571842500 tcpserver: status: 199/200

There was a robot running on 24.220.50.36 scanning all usernames looking for 
valid user/pass pairs. I thought a good solution to this would be to add a 
configuration to fail2ban (we use it for stopping ssh scanning) which will 
block the IP with iptables if it detects too many failed password attempts.

So I looked for the log file to use as a detection point for the multiple 
failed passwords. But then I found a paradox. In my /var/log/maillog are many 
entries like this:

Jan 21 08:31:02 mx vpopmail[11387]: vchkpw-pop3: password fail (pass: 
'257a2117dc3b42e16ef3263877ad6aaf') dann@dansdesk.co.uk:86.142.39.161
Jan 21 08:31:02 mx vpopmail[11389]: vchkpw-pop3: (PLAIN) login success 
dan@dansdesk.co.uk:86.142.39.161
Jan 21 08:31:17 mx vpopmail[11399]: vchkpw-pop3: password fail (pass: 
'7f6b74c8646dc5b228d488ccce2e1559') jordean@powerpolitics.com:67.161.162.12
Jan 21 08:31:17 mx vpopmail[11401]: vchkpw-pop3: (PLAIN) login success 
jordan@powerpolitics.com:67.161.162.12
Jan 21 08:32:16 mx vpopmail[11481]: vchkpw-pop3: password fail (pass: 
'da50101dd890e149154f01aa3c5c1e1a') malewa@maleasmith.com:212.186.68.140
Jan 21 08:32:17 mx vpopmail[11486]: vchkpw-pop3: (PLAIN) login success 
malea@maleasmith.com:212.186.68.140

These are md5-digest (I think) password failures, followed by plaintext 
password success. These are all honest valid users, and it is normal. I think 
they all use a POP3 client (maybe Apple Mail) that first tries md5-digest, and 
if it doesn't work, uses plaintext. The paradox is that fail2ban must scan the 
logs for password failures to detect which IP address to block. But because of 
these "honest" password failures there is no way to detect the difference 
between a robot trying wrong password, and a "helpful" POP3 client trying a 
wrong auth method.

Any ideas how to detect the IP of a pop3 scanning robot? Or maybe a better 
solution would be use the tcpserver-limits patch or even iptables' --hitcount 
option to function as a connecting-limiting firewall?

Quinn


---------------------------------------------------------------------
Strangecode :: Internet Consultancy
http://www.strangecode.com/
+1 530 624 4410

<Prev in Thread]	Current Thread	[Next in Thread>
POP3 password scanning, Quinn Comendant <= Re: POP3 password scanning, Nick Leverton Re: POP3 password scanning, Quinn Comendant Re: POP3 password scanning, Markus Stumpf Re: POP3 password scanning, Quinn Comendant

Previous by Date:	sbl-xbl going away; zen replacing it, Russ Nelson
Next by Date:	Re: sbl-xbl going away; zen replacing it, up
Previous by Thread:	sbl-xbl going away; zen replacing it, Russ Nelson
Next by Thread:	Re: POP3 password scanning, Nick Leverton
Indexes:	[Date] [Thread] [Top] [All Lists]