This isn't really debian-specific, but I don't know a better place to
ask... recently, I've been having servers make a large number of
attempts to access my mail host using what appear to be random strings
as usernames -- it looks like this:
Apr 4 03:04:30 snowball saslauthd[1179]: pam_unix(:auth): check pass; user unknown
Apr 4 03:04:30 snowball saslauthd[1179]: pam_unix(:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Apr 4 03:04:33 snowball saslauthd[1179]: : auth failure: [user=1b391vovbh.fsf@pfeifferfamily.net] [service=] [realm=] [mech=pam] [reason=PAM auth error]
They all have the same form: <something random>.fsf@pfeifferfamily.net
I'm trying to understand the point; it's not like there's any chance any
of those usernames will be valid. This isn't they usual attempts using
usernames like root, admin, test1, scan... those I understand.
So, anybody have any ideas what's up here?
That's "normal". Just looking for a response that doesn't return "user unknown", then they've got a valid
username they can attempt password attacks on.
So here's the thing: What parts of the internet are you expecting logins from, to your mail server?
If the answer is none, then you should be using kernel packet filtering to prevent those incoming
messages from reaching your mail server's software.