Anyone else getting "Hammered" with bogus mailserver logins , from Brazil IPs ?

bingo600

I'm getting "Hammered" with login mailserver login attempts
Has been going on for several days.

Sep 13 12:37:12 NOQUEUE: connect from [103.237.58.240]
Sep 13 12:37:16 : pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 13 12:37:17 :      : auth failure: [user=mailer-daemon] [service=smtp] [realm=xx.yy.zz] [mech=pam] [reason=PAM auth error]

The sad part is mostly this .... : user=mailer-daemon
This user does not even exist.

My fail2ban blocked around 200 ip's yesterday , and they mostly (80+ percent) are registered in Brazil.

Sigh ... More "Background Noise" ....

Edit: The above was from IN , the below from BR

NOQUEUE: connect from 186-216-94-41.ian-wr.mastercabo.com.br [186.216.94.41] (may be forged)

Seems like some distributed/coordinated attack , but ... brilliant to attack a user not even in PAM

Normally i get several attempts , but the user varies with "random" names.
This one keeps hammering on the same user , thats new (for me)
Well the same ip is not hammering for long .. Then fail2ban steps in ...

/Bingo

Gertjan

@bingo600

Some one start somewhere some script.

As you said : it fail2ban food.

I activated the "recidive" list in fail2ban : after xx times being caught, the IP is moved to the for ever list.

bingo600

@gertjan
Thats a nice graph

So my 200 bans a day is "nothing ... i guess"
Edit: Ahh it spans a year missed that

/Bingo