IMAP connections with ".eml" in the username - bot attack.

James Brown jlbrown at bordo.com.au
Mon Nov 13 05:47:00 EET 2017


We are seeing lots of IMAP login attempts like this:

dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118,

or

dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml at bordo.com.au>, method=PLAIN, rip=37.235.28.229, 

etc.

We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.

We are running Sophos UTM firewall but that has no IMAP Proxy and never will.

Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?

Any ideas on how to mitigate it?

Thanks,

James.


More information about the dovecot mailing list