jnicol
New Member
I'm sure that like everyone else running WHM I get a cPHulk email every day or so informing me that an IP address has been blocked due to too many failed SMTP login attempts. But today these emails are arriving about every 10 minutes, each time originating from a different IP range/country:
Here's what one of these notices looks like:
I can only assume that this is a spammer running a distributed attempt to compromise an email account on my server. Has anyone else experienced a coordinated attack like this, and is it anything for me to be concerned about?
Also, I'm a little confused as to exactly _which_ account the hacker is trying to target. Wouldn't an email account name usually be a full email address such as john@mydomain.com, whereas cPHulk always reports that the login attempts are directed against an account like 'admin' or 'robert' or 'sales', or something of that nature. In the example above it's 'lib'. None of these accounts actually exists, since there are no email accounts set up at any of my domains currently. Is the hacker just doing a dictionary attack against common usernames?
Here's what one of these notices looks like:
5 failed login attempts to account lib (smtp) -- Large number of attempts from this IP: 105.236.129.208
Reverse DNS: 105-236-129-208.access.mtnbusiness.co.za
Origin Country: Morocco (MA)
I can only assume that this is a spammer running a distributed attempt to compromise an email account on my server. Has anyone else experienced a coordinated attack like this, and is it anything for me to be concerned about?
Also, I'm a little confused as to exactly _which_ account the hacker is trying to target. Wouldn't an email account name usually be a full email address such as john@mydomain.com, whereas cPHulk always reports that the login attempts are directed against an account like 'admin' or 'robert' or 'sales', or something of that nature. In the example above it's 'lib'. None of these accounts actually exists, since there are no email accounts set up at any of my domains currently. Is the hacker just doing a dictionary attack against common usernames?