Phil (Medway Hosting) wrote:
> Hi All
>
> I am getting a lot of entries like these in my logs over the last few days:
>
> 2007-09-23 05:00:08 fixed_login authenticator failed for (windows) [64.62.22.218]:8204 I=[84.40.17.13]:25: 535 Incorrect authentication data (set_id=maxwell)
[snip]
> 2007-09-23 05:00:16 fixed_login authenticator failed for (windows) [64.62.22.218]:8634 I=[84.40.17.12]:25: 535 Incorrect authentication data (set_id=stephani)
>
> Am I right in thinking this is a spam dictionary attack from "cr4p sp4mm3r s0ftw4re" or hack attempts to send via my server ? I tried searching for info, and plenty of examples but no explanations !
>
I've had a few of these too. I believe it's just a bot attempting an
automated attack as I've had them on try on sequential IP addresses.
They are usually also on zen.spamhaus.org. Pretty sure the aim is to
find correct login details so they can use your servers to spam the crap
out of everyone. Creating something in the smtp_auth_acl to temporarily
firewall these computers is on my TODO list.
On a side note - why they are doing this? I've noticed a significant
drop in attempts to send spam directly to my servers from a few spam
botnets. Possibly an entire botnet has stopped sending. Conversely,
there has been an increase of ISP SMTP relays, webmail services and
other indirect spam.
Some of the spammers may finally be noticing that you can knock out
99.999999% of spam by simply stopping the easy to spot bots.
I say some because the ones sending to the spam traps and increased
their efforts 10 fold over the past few months.
--
The Exim Manual
http://www.exim.org/docs.html
http://www.exim.org/exim-html-current/doc/html/spec_html/index.html