Re: random usernames in attempts to break in to my machine?

To: debian-user@lists.debian.org
Subject: Re: random usernames in attempts to break in to my machine?
From: Joe <joe@jretrading.com>
Date: Mon, 4 Apr 2022 20:47:28 +0100
Message-id: <[🔎] 20220404204728.171da8dc@jrenewsid.jretrading.com>
In-reply-to: <[🔎] 1bsfqtynj4.fsf@pfeifferfamily.net>
References: <[🔎] 1bsfqtynj4.fsf@pfeifferfamily.net>

On Mon, 04 Apr 2022 07:40:47 -0600
Joe Pfeiffer <pfeiffer@cs.nmsu.edu> wrote:

> This isn't really debian-specific, but I don't know a better place to
> ask...  recently, I've been having servers make a large number of
> attempts to access my mail host using what appear to be random strings
> as usernames -- it looks like this:
> 
> Apr  4 03:04:30 snowball saslauthd[1179]: pam_unix(:auth): check
> pass; user unknown Apr  4 03:04:30 snowball saslauthd[1179]:
> pam_unix(:auth): authentication failure; logname= uid=0 euid=0 tty=
> ruser= rhost= Apr  4 03:04:33 snowball saslauthd[1179]:
>   : auth failure: [user=1b391vovbh.fsf@pfeifferfamily.net] [service=]
> [realm=] [mech=pam] [reason=PAM auth error]
> 
> They all have the same form: <something random>.fsf@pfeifferfamily.net
> 
> I'm trying to understand the point; it's not like there's any chance
> any of those usernames will be valid.  This isn't they usual attempts
> using usernames like root, admin, test1, scan...  those I understand.
> 
> So, anybody have any ideas what's up here?
> 

Generally, 'impossible' email names are aimed at situations where an
in-house SMTP server downloads domain email from an external POP3
server, something which used to be very common in small and medium
businesses but is less so now.

The POP3 server's SMTP server has accepted catch-all email addresses,
which management has insisted on 'to avoid losing any sales'. The
business' own email server knows there are no such recipients but the
mail has already been accepted, so it must send a bounce message to the
Reply-To address, which has been randomly selected from a mailing list.

So a bounce message, including the entire text of the spam, is sent to
a legitimate email address *from* a legitimate email server that isn't
on a black list. The spam has been laundered.

Much less common today, but my logs still get a fair number of such
attempts. I receive email directly, so this kind of mail is never
accepted and the SMTP transaction is terminated.

-- 
Joe

Reply to:

Follow-Ups:
- Re: random usernames in attempts to break in to my machine?
  - From: John Hasler <john@sugarbit.com>

References:
- random usernames in attempts to break in to my machine?
  - From: Joe Pfeiffer <pfeiffer@cs.nmsu.edu>

Prev by Date: logcheck shows only accounting tool, Debian 11?
Next by Date: Re: toshiba video problem
Previous by thread: Re: random usernames in attempts to break in to my machine?
Next by thread: Re: random usernames in attempts to break in to my machine?
Index(es):
- Date
- Thread