alt.spam Google Group

Re: Pop3 login attacks

mrdemean...@jackpot.invalid (MrD) — Sat, 20 mar 2010 18:20:03 UT

IMAP uses a single "login" command that contains both the user and
password. POP has separate "user" and "pass" commands.
Here's some good stuff on IMAP and POP commandline access:
[link]
[link]

Re: Pop3 login attacks

s...@guy.com (Spam Guy) — Sat, 20 mar 2010 17:28:12 UT

No, your right.
I was assuming that because I was seeing "Unknown User" in the log
entries, such as in this example:
--------
20080501182355-0500:POP3-Serve r:FailedLogin:[74.143.8.227]:r oy:UnknownUser
--------
That the remote system would have also been seeing "Unknown user" during
the login attempt.

Re: Pop3 login attacks

s...@guy.com (Spam Guy) — Sat, 20 mar 2010 16:43:25 UT

MrD wrote:

I have no idea what point you're trying to make with that comment.
If you have a specific knowledge, or even a theory, as to why these
attack strategies do not attempt to determine both a valid user-name
*and* password, then why don't you post it here?

Re: Pop3 login attacks

Sat, 20 mar 2010 12:34:27 UT

On Sat, 20 Mar 2010 11:57:23 +0000, MrD <mrdemean...@jackpot.invalid>
wrote:
Does an IMAP server typically reject a username before it sees the
password?

Re: SMTP connect / timeout events

mrdemean...@jackpot.invalid (MrD) — Sat, 20 mar 2010 12:17:24 UT

TCP itself times out (by default the timeout is usually half-an-hour, I
think).
The six-minute timeout seems to be a postfix default for both send and
receive on SMTP (actually it's 300s); and it seems judicious, given that
some clients like to suck up 40-50 simultaneous connections for pumping
spam, even when every attempt is met by 5XX. The default evidently drops

Re: Pop3 login attacks

mrdemean...@jackpot.invalid (MrD) — Sat, 20 mar 2010 11:57:23 UT

..is probably greater than mine - or at least, fresher. I've been using
exclusively IMAP for some time. I do run a POP server, but it doesn't
get used.

Re: Pop3 login attacks

Sat, 20 mar 2010 10:06:17 UT

On Sat, 20 Mar 2010 08:09:14 +0000, MrD <mrdemean...@jackpot.invalid>
wrote:
But... my experience with POP servers (I'm just a user, though) is
that they don't reveal valid usernames, they wait to throw an error
until after the password is submitted:
user lsdfjhldskjfhdfkjhgldksjhgdfjg h
+OK
pass lkajdhf

Re: SMTP connect / timeout events

Sat, 20 mar 2010 09:49:36 UT

On Tue, 16 Mar 2010 08:43:04 +0000, MrD <mrdemean...@jackpot.invalid>
wrote:
Well... don't servers/something *have* to have a "timeout"? Servers
that are up for years can't keep sockets open indefinitely for clients
that don't properly finish their business.
Not at all. A few seconds *can't* be a "timeout" period.

Re: Pop3 login attacks

mrdemean...@jackpot.invalid (MrD) — Sat, 20 mar 2010 08:09:14 UT

So you're an internet vandal, and you are hammering away at SG's POP
server, trying out random user names. You hit on one that is accepted.
Hmmm. You seem have found a valid email address; wonder what use could
that be? Doh - can't think.

Pop3 login attacks (was: SMTP connect / timeout events)

s...@guy.com (Spam Guy) — Sat, 20 mar 2010 02:15:56 UT

Because it didn't fall over during the attacks.

Tell us how you deal with pop3 login attacks?
Tell us how you learn of these attacks in real time.
Tell us what you do the minute your server tells you it's experiencing
an attack.
The machine did not crash, no accounts were accessed.
These attacks generate thousands of login attempts - the vast majority

spam me please

tpretl...@gmail.com (Tim) — Fri, 19 mar 2010 14:03:41 UT

pretl...@oss1.liv.ac.uk

yessss

tpretl...@gmail.com (Tim) — Fri, 19 mar 2010 14:02:59 UT

pretl...@oss1.liv.ac.uk

My pop3 login-attack stats

s...@guy.com (Spam Guy) — Fri, 19 mar 2010 06:35:45 UT

A preliminary analysis of my log files dating back to 1999 show that the
Pop3 login attacks that I'm now seeing seemed to have started in a
significant way on Jan 25, 2007.
During Each of the years 2007, 2008 and 2009 there are about 19 to 21
significant attack episodes, each from a unique IP address.

Re: SMTP connect / timeout events

dontmai...@no.junkmail.here (Landmark) — Wed, 17 mar 2010 18:44:37 UT

How do you know?
That's a great security policy, shrugging your shoulders and saying
nothing you could do about it anyway. Doesn't that tell you that you
are seriously lacking something in your security methodology?
Again, how do you know what the consequences have been? And you didn't
know about "either during or shortly after"... three years and then

Re: SMTP connect / timeout events

s...@guy.com (Spam Guy) — Wed, 17 mar 2010 13:56:18 UT

Obviously the SMTP software in question, and it's configuration state,
was secure enough to prevent unauthorized access to my system.
The fact that I didn't know it was happening at the time is not
particularly relavent, because short of pulling the plug on my server
there is nothing that I could have practically done to stop the attack.