[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] password clack from pop3 ?

Subject: Re: [cobalt-users] password clack from pop3 ?
From: flash22@xxxxxxx
Date: Tue May 1 10:24:06 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Wed, 2 May 2001, Tadashi Kiyuna wrote:

> Hi List,
> 
> I've found abnormal log(s) in /var/log/maillog. IP of 216.126.188.104 is
> c5T2-104.015.popsite.net, there is a no client of my RaQ.

popsite aka starnetusa aka megapop provides tons of dialup points, you
would have to email them to figure out where it really camefrom (some
where near LA ca from the traceroute...)

> May  1 23:15:12 www in.qpopper[16621]: winescout.c2on@anywhere at
> 216.126.188.104 (216.126.188.104):

Based on the time interval, i would be inclined t guess customer
misconfiguration ;) nice 2 minute intervals looks like outlook

the user@domain login format is typical for customers of ISP's using OEM
dialup provisions...(cause isp's share access) and some virtual hosting
setups, netcom does this for example..

unfortunatly, you don't have a complete domain name, so it's kind of hard
to make any guess what the customers real username probably is, presumably
when they don't get any mail for a few days they will figure it out...

[if it was a real password attack, i'd expect many many more of these, and
much faster]

> What attack is this or his/her miss configuration ? Does Anyone know ?

gsh

References:
- [cobalt-users] password clack from pop3 ?
  - From: Tadashi Kiyuna

Prev by Date: [cobalt-users] password clack from pop3 ?
Next by Date: RE: [cobalt-users] Empty messages?
Previous by thread: [cobalt-users] password clack from pop3 ?
Next by thread: [cobalt-users] delete sites still in httpd.conf

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index