IMAP connections with ".eml" in the username - bot attack.
Sami Ketola
sami.ketola at dovecot.fi
Mon Nov 13 08:22:11 EET 2017
> On 13 Nov 2017, at 8.21, Sami Ketola <sami.ketola at dovecot.fi> wrote:
>
>>
>> On 13 Nov 2017, at 5.47, James Brown <jlbrown at bordo.com.au> wrote:
>>
>> We are seeing lots of IMAP login attempts like this:
>>
>> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118,
>>
>> or
>>
>> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml at bordo.com.au>, method=PLAIN, rip=37.235.28.229,
>>
>> etc.
>>
>> We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.
>>
>> We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
>>
>> Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?
>>
>> Any ideas on how to mitigate it?
>
> If the attempts really all come from different source ip addresses and the username attempted
> is always *.eml (and you don't have any real users with username ending in .eml), maybe you
> could just create deny-passdb with username_filter *.eml?
>
> passdb {
> driver = static
> deny = yes
> username_filter = *.eml
> args =
> }
>
> as your first passdb
forgot to mention that username_filter feature requires dovecot 2.2.30+
Sami
More information about the dovecot
mailing list