Recently, I am seeing a lot of identical failed login attempts against my mail server. Just today, about 130,000 of them. The vast majority (124k+) come from one subnet: 126.96.36.199/24
Brute force attempts by themselves are not that special, but these are in particular annoying as the tool they are using appears to be broken. Here is the complete login attempt (they all look exactly the same):
[Blue: data from server, Red: data from client]
It starts harmless enough with my mail server sending a standard banner
The "attacker" responds with an EHLO. The "localhost" is a bit odd, but well, I told them that I am mail.localdomain. So I will take that.
As it should in response to an "EHLO", my mail server will list its capabilities. Note that the client is not taking advantage of STARTTLS.
Insert the Client "resets" the connect. Bit odd, and I probably should drop things here. But I am always interested in seeing where things go...
So I am responding with a standard "OK".
The client now attempts to "Login"
As common for "AUTH LOGIN", my mail server responds with a base64 encoded string "Username:". I am sure the bot appreciates that my mail server tells it what to send next.
The username, also base64 encoded, is "nan".
For those of you familiar with Base64 (or standard logins), you will probably know what comes next: "Password:"
The password sent: Nan (upper case N unlike the username).
Sadly, this fails... and I send you an error telling you so.
Ok. The attacker is going at this all day long, the strategy appears to be more "password spraying" than "brute forcing" as it does not attempt too many attempts on a particular account. I don't believe they even bother with using leaked credentials of mine, but instead they just simply go for volume.
There are a number of ways how this attack could be a lot more effective:
Oct 13th 2021
|Thread locked Subscribe||
Oct 13th 2021
8 months ago