Are they professional spammers or idiot kids playing silly buggers? That’s the question I find myself asking after reviewing logs and discovering thousands of attempts to gain access to email. The fools are using malformed login credentials. Come on guys, if you were serious you’d actually review your bogus software! Workout how it does stuff and ensure that it at least passes the sniff test. You’ll never gain anything by using broken code. I have to ask myself ‘how stupid are spammers?’
Like all semi-competent system administrators I review logs regularly and am constantly looking for irregularities. When I find something I’ll focus on stopping them and further strengthening my defences – that is until I get distracted by some other shiny object.
My scanning methods aren’t terribly stylish or even clever and I usually take the path of least resistance. In this case I have scanned through /var/log/secure searching for the word fail. I run Centos, so if you are using another OS your log file might be called /var/log/auth.
sudo grep 'fail' /var/log/secure
mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=spf5@com.au rhost=45.142.195.15 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=spell@com.au rhost=45.142.195.15 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=speedtest3@com.au rhost=45.142.195.15 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=specialevents@com.au rhost=45.142.195.15 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=spartan@com.au rhost=45.142.195.15 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=spapps@com.au rhost=45.142.195.15 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=sophia@com.au rhost=45.142.195.15 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=songyuan@com.au rhost=45.142.195.15 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=sok@com.au rhost=45.142.195.15 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=socrates@com.au rhost=45.142.195.15 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=socks@com.au rhost=45.142.195.15 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=social.mercadolibre@com.au rhost=45.142.195.15 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=sni@com.au rhost=45.142.195.15 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=smx@com.au rhost=45.142.195.15 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=smtp.mail@com.au rhost=45.142.195.15
The log entries outlined above were repeated many times over a period of a few days. When I scan my log of dropped connections I also see the same IP address repeated over the past week or two.
It is difficult to know if the person at the other end is either;
- A professional spammer,
- Just a pimply faced kid whose mummy caught him look at porn & sent him to his room for punishment.
- Or a beginner who was not smart enough to look at the code he/she is using.
Note the login details
When you use a bogus script to blindly attempt a brute-force login attempt you should at least review the code. Ensure the credentials you are attempting to fake are formed correctly.
Looking at the login details, in this particular case, I see usernames like “specialevents@com.au” which any idiot can see if malformed and doomed to failure.
Their goal may not have been to gain access to our email accounts but rather to consume resources in misguided attempt at crash something. With a fresh login attempt every 50 seconds they are not going to do much damage. Is their intention some form of Denial Of Service (DOS). Even a DOS attempt is doomed to failure if you’re only hitting the server once a minute.
The password used by the dimwitted hacker was UGFzc3dvcmQ6 which decodes to “password”, leading me to believe the individual is particularly stupid.
abuseipdb.com
When checking the offending IP Address at abuseipdb.com I find the same address has been reported over 4,700 times. I’m not sure why ISPs don’t monitor outgoing user activity and act when repeated activity indicates malicious intent. It is obvious to me that when a user constantly belts ports associated with Email then that user is up to no good.
Dropped
I don’t like to drop connections permanently but that is what I have done with this individual. Of course, dropping connections at the server doesn’t solve the problem. When I check my logs for dropped packets the same individual is still doing their best to gain access. Even though they can no longer access any services they are able to attempt a connection, thereby consuming bandwidth.
I don’t know what the final solution is and how we can permanently prevent these morons. Short of turning up on their front door step and kicking their f**king asses there isn’t much we can do.
I do report incidents to appropriate abuse contacts for the owner of the IP Address range but I never get a reply. I don’t think anyone checks their abuse contact addresses.
That’s all folks!