Re: IMAP connections with ".eml" in the username - bot attack.
James Brown writes:
Haven't seen it. I agree with another poster -- probably a spammer screwed up their spamware configuration.
Any ideas on how to mitigate it?
Mitigate what? Even by your account, this won't get them anywhere, unless it's so fast and heavy, it's DoS'ing your system. Other than that, they're just bloating your logs, nothing more.
If you want to pre-empt this via firewall, you'll need to get extremely lucky to characterise these IPs (a sample of 2 is not enough) in such a way as to able to formulate a firewall rule. Mostly likely, this is a rented botnet. If you somehow figure out an oracular rule to discern bot from some user road-warrior *before* they connect, give me a call.
Sean Greenslade <sean@seangreenslade.com> writes:
Common proxy target. They're testing whether your web server will support anonymous web proxying. Almost exclusively from China.
Joseph Tam <jtam.home@gmail.com>
participants (1)
-
Joseph Tam