On Mon, Nov 13, 2017 at 02:47:00PM +1100, James Brown wrote: > We are seeing lots of IMAP login attempts like this: > > dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): > user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, > method=PLAIN, rip=197.255.60.118, > > or > > dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): > user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584....@bordo.com.au>, > method=PLAIN, rip=37.235.28.229, > > etc. > > We are running fail2ban, but as each login attempt is from a different IP it > is not able to stop them. > > We are running Sophos UTM firewall but that has no IMAP Proxy and never will. > > Is anyone else experiencing this? How is such an attack is supposed to ever > succeed? What are they trying to accomplish? > > Any ideas on how to mitigate it? > > Thanks, > > James.
Wild guess: A spammer misconfigured their spambot? Unless you have any usernames in your system that are formatted like that, it'll never get in, so I wouldn't worry about it. Assuming you have sensible rate limits on IMAP logins in place (e.g. https://wiki.dovecot.org/Authentication/Penalty ), there's nothing more to do. Just laugh it off as another oddity of being a mail admin. Here's a fun laugh I found in one of my webserver logs: > 1446098745 218.249.219.2 "GET > http://www.sciencedirect.com/science/book/9780123525512"; 400 425 "" > "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" Not my website, nothing even close to that url is hosted on that server. I'm surprised a bot would pretend to be Internet Explorer 4 on Windows 95. Go figure... --Sean
