Are these login attempts a potential hacker?

[Jakobud]

One of our employees's (lets say his name is Bob Smith) Zimbra account kept changing to "Lockout". I discovered that Lockout refers to too many bad login attempts to that account within a certain time period.

Investigating the logs, I'm seeing this:

Code:

2010-03-23 12:31:04,880 WARN  [btpool0-31374] [ip=50.24.49.30;ua=Mozilla/5.0 (X11;; U;; Linux x86_64;; en-US;; rv:1.9.1.8) Gecko/20100301 Fedora/3.0.3-1.fc11 Lightning/1.0b1 Thunderbird/3.0.3;] security - cmd=Auth; account=bob.smith@mycompany.com; protocol=http_basic; error=authentication failed for john, account lockout;
2010-03-23 12:31:05,205 WARN  [btpool0-31374] [ip=50.24.49.30;ua=Mozilla/5.0 (X11;; U;; Linux x86_64;; en-US;; rv:1.9.1.8) Gecko/20100301 Fedora/3.0.3-1.fc11 Lightning/1.0b1 Thunderbird/3.0.3;] security - cmd=Auth; account=bob.smith@mycompany.com; protocol=http_basic; error=authentication failed for john, account lockout;
2010-03-23 12:31:05,517 WARN  [btpool0-31374] [ip=50.24.49.30;ua=Mozilla/5.0 (X11;; U;; Linux x86_64;; en-US;; rv:1.9.1.8) Gecko/20100301 Fedora/3.0.3-1.fc11 Lightning/1.0b1 Thunderbird/3.0.3;] security - cmd=Auth; account=bob.smith@mycompany.com; protocol=http_basic; error=authentication failed for john, account lockout;
2010-03-23 12:31:05,828 WARN  [btpool0-31374] [ip=50.24.49.30;ua=Mozilla/5.0 (X11;; U;; Linux x86_64;; en-US;; rv:1.9.1.8) Gecko/20100301 Fedora/3.0.3-1.fc11 Lightning/1.0b1 Thunderbird/3.0.3;] security - cmd=Auth; account=bob.smith@mycompany.com; protocol=http_basic; error=authentication failed for john, account lockout;
2010-03-23 12:31:06,151 WARN  [btpool0-31374] [ip=50.24.49.30;ua=Mozilla/5.0 (X11;; U;; Linux x86_64;; en-US;; rv:1.9.1.8) Gecko/20100301 Fedora/3.0.3-1.fc11 Lightning/1.0b1 Thunderbird/3.0.3;] security - cmd=Auth; account=bob.smith@mycompany.com; protocol=http_basic; error=authentication failed for john, account lockout;

Can anyone explain what these errors mean? Does it mean that someone is attempting to log into bob smiths email account from that IP address (I changed the IP address for this post)?

Why does it say authentication failed for john? Is someone trying to log into that email account using the name john?

Is this a hack attempt? You can see the log is recording this event happening multiple times every second... nonstop.

[raj]

Hi..your mail server is on the internet so ANYONE is allowed to authenticate and send email with VALID username and password.
so what many many Spammers do is they try a dictionary hack and try known words and names with random easy passwords. if they LUCY they get in and then use that account to send SPAM out.

what you seeing is a perfectly normal spammer behaviour and to your bad luck "bob.smith" seems to be an popular name which spammers what to try with different passwords ..making your account locked.

no solution to this..you can try grey-listing the server and that will fend off many unwanted connections as spammer don't line to RETRY

Raj

[liverpoolfcfan]

Is the IP Address in question a valid one for your user ? If so, there may be a less sinister explanation.

I see from your messages that the user in question is using Thunderbird with Lightening.

It is possible that the user has recently changed their network password but not updated the password Lightening uses to access the zimbra server. If Lightening tried to sync often enough in between logins in Thunderbird it could lock out the account.

Please see thread below for details

http://www.zimbra.com/forums/isync-c...-breaking.html

I hope this helps