Re: POP3 logon attempts

["dreamwvr () dreamwvr com" <dreamwvr () dreamwvr com>]

On Mon, Mar 31, 2003 at 02:11:27PM +0200, Tom Fischer wrote:
> Hi,
> some of our POP3 servers got DoSed cause of massive password probes 
> against following accounts:
>
> admin
> backup
> data
> master
> oracle
> root
> server
> sybase
> test
> user
> web
> webmaster
>
> Does someone know a tool which will brute force these accounts?
It's likely just a script that automates this for the tickler to
the tickee. They would just loop via the total number of accounts 
they wish fork to and test for default accounts/passwords for example.
Have you tried a wrapper to limit the number of connections per
same ip addr? For example if you do not have more than one connection
established per ip to get pop3. Then send them a RST. Or something
like that. AND create a list of accounts that never are allowed to 
access remotely via pop3 and send disconnects to any attempts to 
do so. Obviously log usages that do not meet your ruleset and 
add spice to taste. If some of these they are trying do actually
exist then create filter rules. TMTOWTDI 

HIH

Best Regards,
dreamwvr () dreamwvr com

-- 
/*  Security is a work in progress - dreamwvr                 */
#                                                             
# Note: To begin Journey type man afterboot,man help,man hier[.]      
#                                                             
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents