IMAP connections with ".eml" in the username - bot attack.
We are seeing lots of IMAP login attempts like this:
dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=
or
dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml@bordo.com.au, method=PLAIN, rip=37.235.28.229,
etc.
We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.
We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?
Any ideas on how to mitigate it?
Thanks,
James.
On 13 Nov 2017, at 5.47, James Brown jlbrown@bordo.com.au wrote:
We are seeing lots of IMAP login attempts like this:
dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=
, method=PLAIN, rip=197.255.60.118, or
dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml@bordo.com.au, method=PLAIN, rip=37.235.28.229,
etc.
We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.
We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?
Any ideas on how to mitigate it?
If the attempts really all come from different source ip addresses and the username attempted is always *.eml (and you don't have any real users with username ending in .eml), maybe you could just create deny-passdb with username_filter *.eml?
passdb { driver = static deny = yes username_filter = *.eml args = }
as your first passdb
Sami
On 13 Nov 2017, at 8.21, Sami Ketola sami.ketola@dovecot.fi wrote:
On 13 Nov 2017, at 5.47, James Brown jlbrown@bordo.com.au wrote:
We are seeing lots of IMAP login attempts like this:
dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=
, method=PLAIN, rip=197.255.60.118, or
dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml@bordo.com.au, method=PLAIN, rip=37.235.28.229,
etc.
We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.
We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?
Any ideas on how to mitigate it?
If the attempts really all come from different source ip addresses and the username attempted is always *.eml (and you don't have any real users with username ending in .eml), maybe you could just create deny-passdb with username_filter *.eml?
passdb { driver = static deny = yes username_filter = *.eml args = }
as your first passdb
forgot to mention that username_filter feature requires dovecot 2.2.30+
Sami
On Mon, Nov 13, 2017 at 02:47:00PM +1100, James Brown wrote:
We are seeing lots of IMAP login attempts like this:
dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=
, method=PLAIN, rip=197.255.60.118, or
dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml@bordo.com.au, method=PLAIN, rip=37.235.28.229,
etc.
We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.
We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?
Any ideas on how to mitigate it?
Thanks,
James.
Wild guess: A spammer misconfigured their spambot? Unless you have any usernames in your system that are formatted like that, it'll never get in, so I wouldn't worry about it. Assuming you have sensible rate limits on IMAP logins in place (e.g. https://wiki.dovecot.org/Authentication/Penalty ), there's nothing more to do. Just laugh it off as another oddity of being a mail admin.
Here's a fun laugh I found in one of my webserver logs:
1446098745 218.249.219.2 "GET http://www.sciencedirect.com/science/book/9780123525512" 400 425 "" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
Not my website, nothing even close to that url is hosted on that server. I'm surprised a bot would pretend to be Internet Explorer 4 on Windows 95. Go figure...
--Sean
participants (3)
-
James Brown
-
Sami Ketola
-
Sean Greenslade