Hi all,
I understand that password cracking is one of today's professions, at
least among bots. They attempt a number of logins, using various names,
possibly from million-address CDs or Project Honeypot baits. I report
their IP address to AbuseIPDB and to their provider's abuse-box.
What puzzles me is people that apparently tries using a regular mail
client. The logs I find are like so:
2026-05-23 13:59:26 CEST imapd: LOGIN FAILED, method=CRAM-MD5
2026-05-23 13:59:31 CEST imapd: LOGIN FAILED, user=EXISTING-USER@domain
2026-05-23 13:59:37 CEST imapd: LOGOUT
A wouldn't expect a bot to take care of logging out. These attempts
come from Italy, my country, rather than being spread around the world.
And when I look up their IP on AbuseIPDB, I find out I'm the only one
who reported it. This is disturbing, because I cannot always be sure
they're not real users screwing up their password. However, running a
family host, I know when attempts come from the wrong provider or from
the wrong town, which is most often the case.
Recently, these attempts have been increasing. I have no autoconfig/
autodiscover web pages, no _imap._tcp SRV records, and the name of the
IMAP server is not standard, so they must be trying the MX server. Do
mail clients do so? I recall having to give instruction on client
configuration.
And what are they after?
Best
Ale
--
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
