Mail warning log. SASL Login authentication.

Discussion in 'Server Operation' started by Ole Vangen, Jan 31, 2020.

  1. Ole Vangen

    Ole Vangen Member

    Hi I am running Dedian with ISPconfig3.

    A couple of days ago my emails from my domain that is on my dedicated server was rejected by google. That started to worry me. I have tried to send email to hotmail and yahoo and they are not rejecting my emails..
    I therefore started to look at my email logs to see if there was something.

    I found that one email user account was sending out huge amount of email. I then delete the account and delete the email que and the email ques is normal (empty now).
    But nevertheless I believe there is a reason for this..
    I now see in my email warnign log the following below and wonders if someone is trying to hacking me or I have some script that is trying to send out emails from my server.
    Yesterday I Install ISPProtect and I hope it will help me prevent and detect this type of things.

    So my question. Can anyone from the log below tell me what is likely happening. Any suggestion of actions is highly appreciated.



    Jan 31 11:00:44 www postfix/master[10035]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
    Jan 31 11:09:38 www postfix/smtpd[16008]: warning: unknown[185.211.245.170]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Jan 31 11:09:45 www postfix/smtpd[16008]: warning: unknown[185.211.245.170]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Jan 31 11:16:01 www dovecot: master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
    Jan 31 11:16:01 www dovecot: log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
    Jan 31 11:19:49 www dovecot: master: Warning: SIGHUP received - reloading configuration
    Jan 31 11:21:31 www postfix/smtpd[18215]: warning: hostname hostcheck.hetzner.com does not resolve to address 213.133.99.103
    Jan 31 11:22:24 www postfix/smtpd[18215]: warning: hostname maxko-hosting.com does not resolve to address 45.95.168.159
    Jan 31 11:22:27 www postfix/smtpd[18215]: warning: unknown[45.95.168.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Jan 31 11:26:50 www postfix/smtpd[18903]: warning: unknown[193.56.28.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Jan 31 11:36:26 www postfix/smtps/smtpd[20442]: warning: hostname 100.152.3.31.in-addr.arpa does not resolve to address 31.3.152.100: Name or service not known
    Jan 31 11:36:29 www postfix/smtps/smtpd[20442]: warning: unknown[31.3.152.100]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
     
  2. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    This means that someone trying to login using a incorrect password. "UGFzc3dvcmQ6" is the hash for the password "Password". This has got nothing to do with your spam.

    When a mail user is sending out spam, try to find the IP adress of the mail client that's sending the mail in your logs/email headers. Most likely, the device is infected. You can just change the password of the mailbox to stop the spam.
    It will take some time to get of Google's blacklist... Could be weeks.
     
  3. Ole Vangen

    Ole Vangen Member

    Hi again :)

    I still have these warnings all over my email warninglog similare to the one below, and is there anything I can do to get this to stop except turn off my server as I see as no option :eek:

    See example below.
    Feb 9 05:39:34 www postfix/smtpd[21757]: warning: hostname ip-113-133.4vendeta.com does not resolve to address 78.128.113.133
    Feb 9 05:39:41 www postfix/smtpd[21757]: warning: unknown[78.128.113.133]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Feb 9 06:07:45 www postfix/smtps/smtpd[25546]: warning: hostname 100.152.3.31.in-addr.arpa does not resolve to address 31.3.152.100: Name or service not known
    Feb 9 06:07:47 www postfix/smtps/smtpd[25546]: warning: unknown[31.3.152.100]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Feb 9 06:12:48 www postfix/smtpd[26297]: warning: hostname 52.95.pppoe.mari-el.ru does not resolve to address 77.40.95.52
    Feb 9 06:12:50 www postfix/smtpd[26297]: warning: unknown[77.40.95.52]: SASL PLAIN authentication failed:
    Feb 9 06:14:34 www dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: EOF
    Feb 9 06:28:16 www postfix/smtpd[29080]: warning: hostname ip-113-133.4vendeta.com does not resolve to address 78.128.113.133
    Feb 9 06:28:19 www postfix/smtpd[29080]: warning: unknown[78.128.113.133]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Feb
     
  4. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    You will always have login errors when you connect a system to the internet. This is normal and nothing to worry about.
     
  5. Ole Vangen

    Ole Vangen Member

    I have now solved the solution it took approximally 4 weeks before google and other big providers to approve our server again.
    After a week these attempt on trying ot log in on our server also more or less stopped.

    All off the issue came from an email account that was used to spam.
     

Share This Page