On 13 Nov 2017, at 8.21, Sami Ketola sami.ketola@dovecot.fi wrote:
On 13 Nov 2017, at 5.47, James Brown jlbrown@bordo.com.au wrote:
We are seeing lots of IMAP login attempts like this:
dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=
, method=PLAIN, rip=197.255.60.118, or
dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml@bordo.com.au, method=PLAIN, rip=37.235.28.229,
etc.
We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.
We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?
Any ideas on how to mitigate it?
If the attempts really all come from different source ip addresses and the username attempted is always *.eml (and you don't have any real users with username ending in .eml), maybe you could just create deny-passdb with username_filter *.eml?
passdb { driver = static deny = yes username_filter = *.eml args = }
as your first passdb
forgot to mention that username_filter feature requires dovecot 2.2.30+
Sami