Community Discussions and Support
Excessive Password Failures

Doh! Ignore my last posting - I just noticed you say you're using v4.01c, which is of course the patched version.

Pardon my noise... ;-)

Cheers!

-- David --

Doh! Ignore my last posting - I just noticed you say you're using v4.01c, which is of course the patched version. Pardon my noise... ;-) Cheers! -- David --

I'm seeing a number of  "Excessive Password Failures" messages in my POP log files from several different IP's from this weekend.

Connection from 216.69.162.62, Mon Oct 22 04:57:22 2007
***** User guest - Excessive Password Failures.
1 sec. elapsed, connection closed Mon Oct 22 04:57:23 2007

Anything to be worried about? Could someone actually connect to one of our email accounts if they get the right name and password? I've never tried setting up Mercury for non-local access, but haven't come across info if by default it is.
Running Mercury 32 4.01c

Thanks,

Tony

<P>I'm seeing a number of  "Excessive Password Failures" messages in my POP log files from several different IP's from this weekend.</P> <P>Connection from 216.69.162.62, Mon Oct 22 04:57:22 2007 ***** User guest - Excessive Password Failures. 1 sec. elapsed, connection closed Mon Oct 22 04:57:23 2007</P> <P>Anything to be worried about? Could someone actually connect to one of our email accounts if they get the right name and password? I've never tried setting up Mercury for non-local access, but haven't come across info if by default it is. Running Mercury 32 4.01c</P> <P>Thanks,</P> <P>Tony</P>

[quote user="TonyB"]

I'm seeing a number of  "Excessive Password Failures" messages in my POP log files from several different IP's from this weekend.

Connection from 216.69.162.62, Mon Oct 22 04:57:22 2007
***** User guest - Excessive Password Failures.
1 sec. elapsed, connection closed Mon Oct 22 04:57:23 2007

Anything to be worried about? Could someone actually connect to one of our email accounts if they get the right name and password? I've never tried setting up Mercury for non-local access, but haven't come across info if by default it is.
Running Mercury 32 4.01c

Thanks,

Tony

[/quote]

 

Yes, they will be able to access the directory of the user account via POP3, they may be able to do more if they have a valid username and password.  The amount of worry depends a lot on whether the IP addresses are your local IP addresses.  If it is not then you've probably got a hacker trying to guess their way in; if it is it may be a user that forgot their password.

[quote user="TonyB"]<p>I'm seeing a number of  "Excessive Password Failures" messages in my POP log files from several different IP's from this weekend.</p> <p>Connection from 216.69.162.62, Mon Oct 22 04:57:22 2007 ***** User guest - Excessive Password Failures. 1 sec. elapsed, connection closed Mon Oct 22 04:57:23 2007</p> <p>Anything to be worried about? Could someone actually connect to one of our email accounts if they get the right name and password? I've never tried setting up Mercury for non-local access, but haven't come across info if by default it is. Running Mercury 32 4.01c</p> <p>Thanks,</p> <p>Tony</p><p>[/quote]</p><p> </p><p>Yes, they will be able to access the directory of the user account via POP3, they may be able to do more if they have a valid username and password.  The amount of worry depends a lot on whether the IP addresses are your local IP addresses.  If it is not then you've probably got a hacker trying to guess their way in; if it is it may be a user that forgot their password. </p>

In this case it would be a hack attempt. The addresses are non-local and the usernames are random ones. I did find in the config for the POP3 server where I can add IP addresses for Connection Control. I think I'll just add our local IP's in and Refuse all others.

Thanks,

Tony

<P>In this case it would be a hack attempt. The addresses are non-local and the usernames are random ones. I did find in the config for the POP3 server where I can add IP addresses for Connection Control. I think I'll just add our local IP's in and Refuse all others. Thanks,</P> <P>Tony</P>

[quote user="TonyB"]

In this case it would be a hack attempt. The addresses are non-local and the usernames are random ones. I did find in the config for the POP3 server where I can add IP addresses for Connection Control. I think I'll just add our local IP's in and Refuse all others.

Thanks,

Tony

[/quote]

 

Might even be better to put the internal lan behind a router and then block port 110 at the router so the bad guys can't get to the server at all.  A NAT router is really cheap insurance against this sort of attack.

 

 

[quote user="TonyB"]<p>In this case it would be a hack attempt. The addresses are non-local and the usernames are random ones. I did find in the config for the POP3 server where I can add IP addresses for Connection Control. I think I'll just add our local IP's in and Refuse all others. Thanks,</p> <p>Tony</p><p>[/quote]</p><p> </p><p>Might even be better to put the internal lan behind a router and then block port 110 at the router so the bad guys can't get to the server at all.  A NAT router is really cheap insurance against this sort of attack.</p><p> </p><p> </p>

The thing to be worried about here is running v4.01c. You MUST upgrade to v4.52, and do it as soon as possible. You should also check that the machine has not been compromised by trojans or other malware at the same time. All versions of Mercury/32 v4 prior to v4.52 have a vulnerability in the SMTP server module that can allow the machine to be compromised. A patch was issued within hours of the vulnerability being detected, and was as widely-publicised as I could manage. This is not a minor or idle problem - we have seen attempts to exploit this vulnerability in the wild, so you should regard this as a mandatory upgrade.

As for the dictionary attacks on your POP3 accounts... Provided your users have reasonable passwords, there's nothing to worry about there. The next release of Mercury supports short-term blacklisting in MercuryP, which will make this even less of an issue.

For now though, make sure you get onto that upgrade straight away.

Cheers!

-- David --

The thing to be worried about here is running v4.01c. You MUST upgrade to v4.52, and do it as soon as possible. You should also check that the machine has not been compromised by trojans or other malware at the same time. All versions of Mercury/32 v4 prior to v4.52 have a vulnerability in the SMTP server module that can allow the machine to be compromised. A patch was issued within hours of the vulnerability being detected, and was as widely-publicised as I could manage. This is not a minor or idle problem - we have seen attempts to exploit this vulnerability in the wild, so you should regard this as a mandatory upgrade. As for the dictionary attacks on your POP3 accounts... Provided your users have reasonable passwords, there's nothing to worry about there. The next release of Mercury supports short-term blacklisting in MercuryP, which will make this even less of an issue. For now though, make sure you get onto that upgrade straight away. Cheers! -- David --
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Cancel
Delete
Pending draft ... Click to resume editing
Discard draft