> Hi all, > > I understand that password cracking is one of today's professions, at > least among bots. They attempt a number of logins, using various names, > possibly from million-address CDs or Project Honeypot baits. I report > their IP address to AbuseIPDB and to their provider's abuse-box. > > What puzzles me is people that apparently tries using a regular mail > client. The logs I find are like so: > > 2026-05-23 13:59:26 CEST imapd: LOGIN FAILED, method=CRAM-MD5 > 2026-05-23 13:59:31 CEST imapd: LOGIN FAILED, user=EXISTING-USER@domain > 2026-05-23 13:59:37 CEST imapd: LOGOUT
We see an endless stream of such attempts all day long, and they don't just attempt with CRAM-MD5 but also other methods, including PLAIN and LOGIN. They also attempt over POP3 and SMTP. We add quite a lot to our rolling blacklists because we find that they eventually stop, which I assume is because they're continuing from a different IP address after a while. (Some don't change IPs, and so we evenentually add them to our block-and-forget lists.) What's weird is that many of them keep cycling through the same passwords instead of trying different ones (we know this because we log the passwords they attempt -- sometimes the passwords even include swear words, political discontent, or even sexually explicit phrases, which makes sense because some users do the same). > A wouldn't expect a bot to take care of logging out. These attempts I suspect most bot authors only do that because they believe not logging out could draw more unwanted attention to their activities. > come from Italy, my country, rather than being spread around the world. > And when I look up their IP on AbuseIPDB, I find out I'm the only one > who reported it. This is disturbing, because I cannot always be sure > they're not real users screwing up their password. However, running a > family host, I know when attempts come from the wrong provider or from > the wrong town, which is most often the case. > > Recently, these attempts have been increasing. I have no autoconfig/ > autodiscover web pages, no _imap._tcp SRV records, and the name of the > IMAP server is not standard, so they must be trying the MX server. Do > mail clients do so? I recall having to give instruction on client > configuration. > > And what are they after? They're after any account they can gain access to, most likely so they can use it to send spam, and possibly also so they can download eMail messages for any reasons, including extorting money from the account owner, or selling the data (assuming they've breached a large quantity of eMail accounts), etc. Once they find a password that works, they'll probably also be curious about other possible places where they could login with it (this is one of the reasons users should use different passwords on each system, but sadly many still don't). > Best > Ale -- Postmaster - [email protected] Randolf Richardson, CNA - [email protected] Inter-Corporate Computer & Network Services, Inc. Vancouver, Beautiful British Columbia, Canada https://www.inter-corporate.com/ _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
