IMAP connections with ".eml" in the username - bot attack.

[Joseph Tam]

James Brown writes:

> We are seeing lots of IMAP login attempts like this:
>
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118,
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml at bordo.com.au>, method=PLAIN, rip=37.235.28.229,
>
> etc.
> Is anyone else experiencing this? How is such an attack is supposed to
> ever succeed? What are they trying to accomplish?

Haven't seen it.  I agree with another poster -- probably a spammer screwed
up their spamware configuration.

> Any ideas on how to mitigate it?

Mitigate what?  Even by your account, this won't get them anywhere, unless it's
so fast and heavy, it's DoS'ing your system.  Other than that, they're just bloating
your logs, nothing more.

If you want to pre-empt this via firewall, you'll need to get extremely lucky to
characterise these IPs (a sample of 2 is not enough) in such a way as to able to
formulate a firewall rule.  Mostly likely, this is a rented botnet.  If you somehow
figure out an oracular rule to discern bot from some user road-warrior *before*
they connect, give me a call.

Sean Greenslade <sean at seangreenslade.com> writes:

> Here's a fun laugh I found in one of my webserver logs:
>
>> 1446098745 218.249.219.2 "GET http://www.sciencedirect.com/science/book/9780123525512" 400 425 "" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
>
> Not my website, nothing even close to that url is hosted on that server.

Common proxy target.  They're testing whether your web server will support
anonymous web proxying.  Almost exclusively from China.

Joseph Tam <jtam.home at gmail.com>