For the record, we are seeing a continued increase in hackers inserting/modifying email directly in IMAP.
The same RBL's that you use to protect SMTP can help on all ports/services, especially things like RATS-AUTH, or SpamHaus or SpamRats DROP lists..
And while country AUTH blocking is not the be all end all, and can be bypassed with proxies and VPN's it can reduce the attack surface.
And REALLY consider the large cloud providers.. do servers normally need to connect to your IMAP services? Most email providers could safely block IMAP access from all EC2, Azure, And GoogleCloud, Tencent IP space, and manually make exceptions for the odd IP that needs access..
(It's what we do by default in most of our products now)
And, if you haven't already.. STOP allowing POP/IMAP without SSL/TLS.. passwords can and will be sniffed.. and once TLS is used, you have fingerprinting as an extra tool to prevent bad actors.
On 2024-04-11 10:32, Greg Earle via dovecot wrote:
Hello all, long-time listener, first-time caller ...
I returned from an Eclipse trip to find a couple of sp*m e-mails in an account. I checked the logs and there was no Postfix activity during the delivery times. The 2 spams have basically no headers in them.
I went back to the logs and instead found Dovecot IMAP server activity during those times. Apparently Russian hax0rs (hostnames stat_list.ip-ptr.tech and service_stat.ip-ptr.tech) compromised an account and logged into it via IMAP, and somehow were able to create these two sp*m e-mails on my system.
Obviously I've changed the account password but I would really like to know how they were able to create e-mails on my system when ostensibly I would have assumed they could only read the account's e-mails via IMAP.
If it matters it's an older version of Dovecot on Fedora with a fairly heavily customized set of .conf files. I ran "doveconf -a" but didn't see anything obvious in the output. I may enable rawlogs in case they come knocking again, even though the password has been changed.
Thanks.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada