13 Nov
2017
13 Nov
'17
4:47 a.m.
We are seeing lots of IMAP login attempts like this:
dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=
or
dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml@bordo.com.au, method=PLAIN, rip=37.235.28.229,
etc.
We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.
We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?
Any ideas on how to mitigate it?
Thanks,
James.