Mass scanning via POP3

September 12, 2007

For our backwards compatibility sins, we have plain POP3 exposed to the general Internet. This morning, we discovered that our POP3 server had more or less locked up around 6:30 am, apparently because someone decided to open up hundreds of connections to it and perform a brute force mass account/password attempt.

(In fact it took down our IMAP server too, because we're running Dovecot. This is one of the annoying limitations of Dovecot; there is a central server process that has a couple of file descriptors for every active connection. Run out of file descriptors here and everything grinds to a halt.)

In retrospect, this makes a great deal of sense for the attacker, because POP3 is a great protocol to go after. Not only do you get to try brute-forcing plaintext passwords, but you don't even have to spend any time and effort on handling an encryption protocol the way you do with mass ssh scanning; it's all in plain ASCII. Some testing suggests that you can even pipeline the commands.

(You still need many parallel connections, because Dovecot pauses for a while after a failed password even thought this doesn't do anything effective.)

I've found myself wondering if the attacker might have been a would be spammer wanting to mine people's email for highly useful live addresses instead of a cracker looking for logins, since there is no guarantee that a POP3 account will get you a real login.

Written on 12 September 2007.
« Why I dislike ATX power supplies
Limiting a process's memory usage on Linux »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Sep 12 23:39:52 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.