Thanks to all who replied. Still mumbling...
On 25/05/2026 22:32, John Fawcett via mailop wrote:
On 25/05/2026 13:10, Alessandro Vesely via mailop wrote:
I understand that password cracking is one of today's professions, at
least among bots. They attempt a number of logins, using various
names, possibly from million-address CDs or Project Honeypot baits. I
report their IP address to AbuseIPDB and to their provider's abuse-box.
What puzzles me is people that apparently tries using a regular mail
client. The logs I find are like so:
2026-05-23 13:59:26 CEST imapd: LOGIN FAILED, method=CRAM-MD5
2026-05-23 13:59:31 CEST imapd: LOGIN FAILED, user=EXISTING-USER@domain
2026-05-23 13:59:37 CEST imapd: LOGOUT
A wouldn't expect a bot to take care of logging out. These attempts
come from Italy, my country, rather than being spread around the
world. And when I look up their IP on AbuseIPDB, I find out I'm the
only one who reported it. This is disturbing, because I cannot always
be sure they're not real users screwing up their password. However,
running a family host, I know when attempts come from the wrong
provider or from the wrong town, which is most often the case.
I tend to agree that it wouldn't make sense for attackers to logout, but
it can depend on the programming language and the specific script. For
example when using the python imap library I don't see another call
apart from logout() that could be used to disconnect. If the attacker is
running through a repeated loop of logins it might be a good way of
closing the connection before starting a new one.
The script's characteristics are a good explanation. However, these
amateurs don't attempt other logins to the same server; they limit
themselves to a single attempt. Professional crackers, of whom I see a
greater number, try several usernames on several servers, which is why
they are repeatedly reported on AbuseIPDB.
Best
Ale
--
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
