Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » POP3 directory harvest/brute force attack
  •  
lucas

Messages: 6
Karma: 0
Send a private message to this user
Of course Kerio is actively preventing SMTP rejection directory harvesting. However now I am getting these kinds of attacks:

[05/Mar/2009 07:12:07] POP3: User list<_a.t_>domainname.com doesn't exist. Attempt from IP address 85.214.37.11
[05/Mar/2009 07:12:11] POP3: User eleve<_a.t_>domainname.com doesn't exist. Attempt from IP address 85.214.37.11
[05/Mar/2009 07:12:15] POP3: User proxy<_a.t_>domainname.com doesn't exist. Attempt from IP address 85.214.37.11
[05/Mar/2009 07:12:18] POP3: User sys<_a.t_>domainname.com doesn't exist. Attempt from IP address 85.214.37.11
[05/Mar/2009 07:12:22] POP3: User zzz<_a.t_>domainname.com doesn't exist. Attempt from IP address 85.214.37.11
[05/Mar/2009 07:12:25] POP3: User frank<_a.t_>domainname.com doesn't exist. Attempt from IP address 85.214.37.11
[05/Mar/2009 07:12:29] POP3: User dan<_a.t_>domainname.com doesn't exist. Attempt from IP address 85.214.37.11
[05/Mar/2009 07:12:32] POP3: User james<_a.t_>domainname.com doesn't exist. Attempt from IP address 85.214.37.11
[05/Mar/2009 07:12:36] POP3: User snort<_a.t_>domainname.com doesn't exist. Attempt from IP address 85.214.37.11
[05/Mar/2009 07:12:40] POP3: User radiomail<_a.t_>domainname.com doesn't exist. Attempt from IP address 85.214.37.11


Its either a brute force access attack or another way to directory harvest. Anyone come up with a method to protect against this?
  •  
sgongola

Messages: 109
Karma: 0
Send a private message to this user
It has been discussed in these forums several times. It would be nice for kerio to have the same kind of protection as for smtp but they haven't yet done it.

We don't allow POP (or webmail) access from outside our network, only after first establishing a vpn connection. Otherwise, the messages passing through are not secure enough.

Other suggestions such as using a firewall to block offending ip addresses are useless. You have already been attacked and you are not protected against others not yet blocked by the firewall.

[Updated on: Thu, 05 March 2009 18:28]

  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
There is no mechnism in Kerio to prevent that. Use strong passwords for all user accounts. You could also only allow Secured POP3 or change the port to a non-standard port. All your users would have to adapt, of course and you would also have to open the new port on the firewall.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Osmin

Messages: 31
Karma: 0
Send a private message to this user
Do I have to worry? Can I somehow block the IP? The creepy thing is, that the attacker waited always about 2 hours.

26/Apr/2009 06:32:30] SMTP: Invalid password for user admin<_a.t_>mydomain.com. Attempt from IP address 87.123.456.789
[26/Apr/2009 08:34:05] SMTP: Invalid password for user admin<_a.t_>mydomain.com. Attempt from IP address 87.123.456.789
[26/Apr/2009 10:35:40] SMTP: Invalid password for user admin<_a.t_>mydomain.com. Attempt from IP address 87.123.456.789
[26/Apr/2009 12:41:28] SMTP: Invalid password for user admin<_a.t_>mydomain.com. Attempt from IP address 87.123.456.789
[26/Apr/2009 14:38:49] SMTP: Invalid password for user admin<_a.t_>mydomain.com. Attempt from IP address 87.123.456.789
[26/Apr/2009 16:40:24] SMTP: Invalid password for user admin<_a.t_>mydomain.com. Attempt from IP address 87.123.456.789
[26/Apr/2009 18:41:57] SMTP: Invalid password for user admin<_a.t_>mydomain.com. Attempt from IP address 87.123.456.789
[26/Apr/2009 20:43:33] SMTP: Invalid password for user admin<_a.t_>mydomain.com. Attempt from IP address 87.123.456.789
[26/Apr/2009 22:45:12] SMTP: Invalid password for user admin<_a.t_>mydomain.com. Attempt from IP address 87.123.456.789
[27/Apr/2009 02:02:52] SMTP: Invalid password for user admin<_a.t_>mydomain.com. Attempt from IP address 87.123.456.789
[27/Apr/2009 04:04:25] SMTP: Invalid password for user admin<_a.t_>mydomain.com. Attempt from IP address 87.123.456.789
[27/Apr/2009 07:21:54] SMTP: Invalid password for user admin<_a.t_>mydomain.com. Attempt from IP address 87.123.456.789

[Updated on: Mon, 27 April 2009 13:58]

  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
You can't block the IP address from KMS, you would need to block on the firewall.

If you have a strong password and he tries every two hours, he will have guessed you password in 100 Billion years, so not to worry really.

You could also use a different name for admin (e.g. kmsadm), which is not guessed so easily.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Osmin

Messages: 31
Karma: 0
Send a private message to this user
Thanks.
Yes, its a strong password.
I do not know how strong the ones of my users are. I think we have to upgrade the password complexity.
  •  
Osmin

Messages: 31
Karma: 0
Send a private message to this user
Oh my god.
I just realised that this is the IP of our Kerio Server.
What can it be? some password is not up 2 date
Previous Topic: Status: 4.1.1 450 4.7.1 Client Host rejected: cannot find your hostname....
Next Topic: Some emails not being received
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 00:04:34 CET 2017

Total time taken to generate the page: 0.00438 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.