IMAP connections with ".eml" in the username - bot attack.
Sami Ketola
sami.ketola at dovecot.fi
Mon Nov 13 08:21:15 EET 2017
> On 13 Nov 2017, at 5.47, James Brown <jlbrown at bordo.com.au> wrote:
>
> We are seeing lots of IMAP login attempts like this:
>
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118,
>
> or
>
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml at bordo.com.au>, method=PLAIN, rip=37.235.28.229,
>
> etc.
>
> We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.
>
> We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
>
> Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?
>
> Any ideas on how to mitigate it?
If the attempts really all come from different source ip addresses and the username attempted
is always *.eml (and you don't have any real users with username ending in .eml), maybe you
could just create deny-passdb with username_filter *.eml?
passdb {
driver = static
deny = yes
username_filter = *.eml
args =
}
as your first passdb
Sami
More information about the dovecot
mailing list