Dictionary attacks on ipop3d
I have seen thousands of dictionary or brute force attempts on ipop3d over the last couple of days from the same ip address. Example from /var/log/messages:
Mar 28 04:34:36 ipop3d: Login failed user=jess auth=jess host=[209.2.xxx.xxx]
There are at least five of these entries per second and sometimes the large number of attempts makes the daemon restart. On the chance that an existing user is attacked a message sometimes looks like this:
Mar 28 04:32:33 ipop3d: Autologout user=example host=[209.2.xx.xx]
What is going on here? Why are they attempting to gain access to ipop3d since, as I understand it, this daemon just collects the mail and spammers would be more interested in sending mail from this server?
Also, is there anything that can be done to prevent entry since they could eventually brute force a client's weak password?
Last edited by DrZaius; 29th March 2007 at 03:24.