On Mon, Nov 13, 2017 at 02:47:00PM +1100, James Brown wrote:
We are seeing lots of IMAP login attempts like this:
dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=
, method=PLAIN, rip=197.255.60.118, or
dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml@bordo.com.au, method=PLAIN, rip=37.235.28.229,
etc.
We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.
We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?
Any ideas on how to mitigate it?
Thanks,
James.
Wild guess: A spammer misconfigured their spambot? Unless you have any usernames in your system that are formatted like that, it'll never get in, so I wouldn't worry about it. Assuming you have sensible rate limits on IMAP logins in place (e.g. https://wiki.dovecot.org/Authentication/Penalty ), there's nothing more to do. Just laugh it off as another oddity of being a mail admin.
Here's a fun laugh I found in one of my webserver logs:
1446098745 218.249.219.2 "GET http://www.sciencedirect.com/science/book/9780123525512" 400 425 "" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
Not my website, nothing even close to that url is hosted on that server. I'm surprised a bot would pretend to be Internet Explorer 4 on Windows 95. Go figure...
--Sean