On 25/05/2026 13:10, Alessandro Vesely via mailop wrote:
Hi all,
I understand that password cracking is one of today's professions, at
least among bots. They attempt a number of logins, using various
names, possibly from million-address CDs or Project Honeypot baits. I
report their IP address to AbuseIPDB and to their provider's abuse-box.
What puzzles me is people that apparently tries using a regular mail
client. The logs I find are like so:
2026-05-23 13:59:26 CEST imapd: LOGIN FAILED, method=CRAM-MD5
2026-05-23 13:59:31 CEST imapd: LOGIN FAILED, user=EXISTING-USER@domain
2026-05-23 13:59:37 CEST imapd: LOGOUT
A wouldn't expect a bot to take care of logging out. These attempts
come from Italy, my country, rather than being spread around the
world. And when I look up their IP on AbuseIPDB, I find out I'm the
only one who reported it. This is disturbing, because I cannot always
be sure they're not real users screwing up their password. However,
running a family host, I know when attempts come from the wrong
provider or from the wrong town, which is most often the case.
Hi Alessandro
I tend to agree that it wouldn't make sense for attackers to logout, but
it can depend on the programming language and the specific script. For
example when using the python imap library I don't see another call
apart from logout() that could be used to diconnect. If the attacker is
running through a repeated loop of logins it might be a good way of
closing the connection before starting a new one.
I have not seen logout on failed credentials. I've only seen it for
those that connect and then disconnect without doing any login. The few
I checked appeared to be one of those scanners doing internet security
scans for their customers, though I'm not sure how scanning my server
could help with that.
Recently, these attempts have been increasing. I have no autoconfig/
autodiscover web pages, no _imap._tcp SRV records, and the name of the
IMAP server is not standard, so they must be trying the MX server. Do
mail clients do so? I recall having to give instruction on client
configuration.
And what are they after?
I don't get a lot of failed login attempts, but the ones I saw more
recently were using standard usernames (like support, sales etc) @ a
real domain for which that server is an MX.
Best
Ale
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
