FWIW, we use Fail2Ban to ban misbehaving IPs, initially with a short timeout (in case a legitimate user fat-fingers configuring a new IMAP client) and then with progressively longer ban times if they keep trying to log in.
We document what we do here: https://www.missioncriticalemail.com/2023/05/21/zimbra-fail2ban-best-practices/ The blog post is Zimbra-specific, but for any other system you'll just need to adjust the log files and the regular expressions. Hope that helps, Mark -- _________________________________________________________________ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs Winner of the Zimbra Americas VAR Partner of the Year - Two Years Running! On Monday, May 25th, 2026 at 4:42 PM, John Fawcett via mailop <[email protected]> wrote: > > On 25/05/2026 13:10, Alessandro Vesely via mailop wrote: > > Hi all, > > > > I understand that password cracking is one of today's professions, at > > least among bots. They attempt a number of logins, using various > > names, possibly from million-address CDs or Project Honeypot baits. I > > report their IP address to AbuseIPDB and to their provider's abuse-box. > > > > What puzzles me is people that apparently tries using a regular mail > > client. The logs I find are like so: > > > > 2026-05-23 13:59:26 CEST imapd: LOGIN FAILED, method=CRAM-MD5 > > 2026-05-23 13:59:31 CEST imapd: LOGIN FAILED, user=EXISTING-USER@domain > > 2026-05-23 13:59:37 CEST imapd: LOGOUT > > > > A wouldn't expect a bot to take care of logging out. These attempts > > come from Italy, my country, rather than being spread around the > > world. And when I look up their IP on AbuseIPDB, I find out I'm the > > only one who reported it. This is disturbing, because I cannot always > > be sure they're not real users screwing up their password. However, > > running a family host, I know when attempts come from the wrong > > provider or from the wrong town, which is most often the case. > > Hi Alessandro > > I tend to agree that it wouldn't make sense for attackers to logout, but > it can depend on the programming language and the specific script. For > example when using the python imap library I don't see another call > apart from logout() that could be used to diconnect. If the attacker is > running through a repeated loop of logins it might be a good way of > closing the connection before starting a new one. > > I have not seen logout on failed credentials. I've only seen it for > those that connect and then disconnect without doing any login. The few > I checked appeared to be one of those scanners doing internet security > scans for their customers, though I'm not sure how scanning my server > could help with that. > > > > > Recently, these attempts have been increasing. I have no autoconfig/ > > autodiscover web pages, no _imap._tcp SRV records, and the name of the > > IMAP server is not standard, so they must be trying the MX server. Do > > mail clients do so? I recall having to give instruction on client > > configuration. > > > > And what are they after? > I don't get a lot of failed login attempts, but the ones I saw more > recently were using standard usernames (like support, sales etc) @ a > real domain for which that server is an MX. > > > > > > Best > > Ale > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop > _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
