IMAP connections with ".eml" in the username - bot attack.
Sean Greenslade
sean at seangreenslade.com
Mon Nov 13 08:23:51 EET 2017
On Mon, Nov 13, 2017 at 02:47:00PM +1100, James Brown wrote:
> We are seeing lots of IMAP login attempts like this:
>
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118,
>
> or
>
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml at bordo.com.au>, method=PLAIN, rip=37.235.28.229,
>
> etc.
>
> We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.
>
> We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
>
> Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?
>
> Any ideas on how to mitigate it?
>
> Thanks,
>
> James.
Wild guess: A spammer misconfigured their spambot? Unless you have any
usernames in your system that are formatted like that, it'll never get
in, so I wouldn't worry about it. Assuming you have sensible rate limits
on IMAP logins in place (e.g.
https://wiki.dovecot.org/Authentication/Penalty ), there's nothing more
to do. Just laugh it off as another oddity of being a mail admin.
Here's a fun laugh I found in one of my webserver logs:
> 1446098745 218.249.219.2 "GET http://www.sciencedirect.com/science/book/9780123525512" 400 425 "" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
Not my website, nothing even close to that url is hosted on that server.
I'm surprised a bot would pretend to be Internet Explorer 4 on Windows
95. Go figure...
--Sean
More information about the dovecot
mailing list