IMAP connections with ".eml" in the username - bot attack.

Sami Ketola sami.ketola at dovecot.fi
Mon Nov 13 08:21:15 EET 2017


> On 13 Nov 2017, at 5.47, James Brown <jlbrown at bordo.com.au> wrote:
> 
> We are seeing lots of IMAP login attempts like this:
> 
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118,
> 
> or
> 
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml at bordo.com.au>, method=PLAIN, rip=37.235.28.229, 
> 
> etc.
> 
> We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.
> 
> We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
> 
> Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?
> 
> Any ideas on how to mitigate it?

If the attempts really all come from different source ip addresses and the username attempted 
is always *.eml (and you don't have any real users with username ending in .eml), maybe you
could just create deny-passdb with username_filter *.eml?

passdb {
  driver = static
  deny = yes
  username_filter = *.eml
  args =
}

as your first passdb

Sami



More information about the dovecot mailing list