> On 13 Nov 2017, at 5.47, James Brown <[email protected]> wrote:
>
> We are seeing lots of IMAP login attempts like this:
>
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs):
> user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>,
> method=PLAIN, rip=197.255.60.118,
>
> or
>
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs):
> user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584....@bordo.com.au>,
> method=PLAIN, rip=37.235.28.229,
>
> etc.
>
> We are running fail2ban, but as each login attempt is from a different IP it
> is not able to stop them.
>
> We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
>
> Is anyone else experiencing this? How is such an attack is supposed to ever
> succeed? What are they trying to accomplish?
>
> Any ideas on how to mitigate it?
If the attempts really all come from different source ip addresses and the
username attempted
is always *.eml (and you don't have any real users with username ending in
.eml), maybe you
could just create deny-passdb with username_filter *.eml?
passdb {
driver = static
deny = yes
username_filter = *.eml
args =
}
as your first passdb
Sami
