Brute force log - should I be worried?

#1 01-22-2006, 09:18 PM

I've had similar errors on a few days recently, here is an excerpt of the most recent one:

Code:

The following are event logs for exceeded login failures from 125.24.16.56 on service exim (all time stamps are GMT -0500):
----
- Executed actions:
/etc/apf/apf -d 125.24.16.56 {bfd.exim}

- Log events from /var/log/exim_mainlog:
2006-01-22 19:11:52 H=(DOTCOM13) [125.24.16.56] F=<wallis.gosset8g9@gmail.com> rejected RCPT <home@MYotherDOMAIN.com>: no such address here
2006-01-22 19:11:52 H=(k6g4.2luva.comcast.net) [125.24.16.56] F=<kole.hinepv9y@gmail.com> temporarily rejected RCPT <billing@MYDOMAIN.org>: error in redirect data: no local part in "@MYDOMAIN.org"
2006-01-22 19:11:54 1F0pJK-0002LY-F4 <= eskoviche@gmail.com H=(DOTCOM13) [125.24.16.56] P=esmtp S=1309
2006-01-22 19:11:55 H=(DOTCOM13) [125.24.16.56] F=<t.criddle@gmx.net> temporarily rejected RCPT <billing@MYDOMAIN.org>: error in redirect data: no local part in "@MYDOMAIN.org"
2006-01-22 19:11:55 H=(DOTCOM13) [125.24.16.56] F=<full822@gmail.com> rejected RCPT <home@MYotherDOMAIN.com>: no such address here
2006-01-22 19:11:57 H=(DOTCOM13.ee7ao4u.net) [125.24.16.56] F=<shashin2005@inbox.ru> temporarily rejected RCPT <billing@MYDOMAIN.org>: error in redirect data: no local part in "@MYDOMAIN.org"
2006-01-22 19:11:57 1F0pJN-0002MK-Eh <= shae.patton@gmx.net H=(sea3iuji.3dwo.adelphia.net) [125.24.16.56] P=esmtp S=1332
2006-01-22 19:11:58 H=(sea3iuji.3dwo.adelphia.net) [125.24.16.56] F=<necessary216@gmail.com> rejected RCPT <home@MYotherDOMAIN.com>: no such address here
2006-01-22 19:11:59 H=(DOTCOM13.da9u.net) [125.24.16.56] F=<b.humphries@gmx.de> temporarily rejected RCPT <billing@MYDOMAIN.org>: error in redirect data: no local part in "@MYDOMAIN.org"
2006-01-22 19:12:01 H=(DOTCOM13.egwi5n.org) [125.24.16.56] F=<deep618@gmail.com> temporarily rejected RCPT <billing@MYDOMAIN.org>: error in redirect data: no local part in "@MYDOMAIN.org"
2006-01-22 19:12:02 H=(DOTCOM13) [125.24.16.56] F=<rgooch@gmx.de> temporarily rejected RCPT <billing@MYDOMAIN.org>: error in redirect data: no local part in "@MYDOMAIN.org"
2006-01-22 19:12:04 H=(DOTCOM13.iten9if5.net) [125.24.16.56] F=<natural913@gmail.com> temporarily rejected RCPT <billing@MYDOMAIN.org>: error in redirect data: no local part in "@MYDOMAIN.org"
2006-01-22 19:12:06 H=(DOTCOM13) [125.24.16.56] F=<quilliam.eliott45m@gmail.com> temporarily rejected RCPT <billing@MYDOMAIN.org>: error in redirect data: no local part in "@MYDOMAIN.org"
2006-01-22 19:12:08 H=(DOTCOM13) [125.24.16.56] F=<cullin.benedict1@gmx.de> temporarily rejected RCPT <billing@MYDOMAIN.org>: error in redirect data: no local part in "@MYDOMAIN.org"
2006-01-22 19:12:10 H=(DOTCOM13) [125.24.16.56] F=<tabarov_e@bk.ru> temporarily rejected RCPT <billing@MYDOMAIN.org>: error in redirect data: no local part in "@MYDOMAIN.org"
2006-01-22 19:12:12 H=(ibiolkvm.lng67e.aol.com) [125.24.16.56] F=<camilla.howe@gmx.net> temporarily rejected RCPT <billing@MYDOMAIN.org>: error in redirect data: no local part in "@MYDOMAIN.org"
2006-01-22 19:12:13 H=(DOTCOM13) [125.24.16.56] F=<hancock.pleasance1f8@gmail.com> temporarily rejected RCPT <billing@MYDOMAIN.org>: error in redirect data: no local part in "@MYDOMAIN.org"
2006-01-22 19:12:16 H=(tia4vi.iox9zup8.rr.com) [125.24.16.56] F=<s_venera@list.ru> temporarily rejected RCPT <billing@MYDOMAIN.org>: error in redirect data: no local part in "@MYDOMAIN.org"
2006-01-22 19:12:18 H=(DOTCOM13.7e71icf.net) [125.24.16.56] F=<s_taras.05@inbox.ru> temporarily rejected RCPT <billing@MYDOMAIN.org>: error in redirect data: no local part in "@MYDOMAIN.org"

Thanks!

BornOnline · #2 01-23-2006, 10:27 AM

Nah.. don't worry, but I would remove the BFD exim rule.
/user/local/bfd/rules/exim

And use http://www.configserver.com/free/eximdeny.html instead

#3 01-23-2006, 10:38 AM

So you think BFD detected this as a DDOS of sorts?

Fred · #4 01-24-2006, 09:26 AM

bfd has a number of maximum attempts allowed... it reached the maximum failure number and then, he bans the host...

BUT you had many failures that wasn't real failures...
look closely:

error in redirect data: no local part in "@MYDOMAIN.org"

you have a temporary rejection... You should look at your config or setup to be sure that everything is fine... Something isn't as it supposed to be... I'm not an exim pro, so i can't really help, i can only tell you have a little problem