Re: [mailop] What are these amateur abusers?

Wed, 27 May 2026 04:11:50 -0700 

On 27/05/2026 02:08, Ángel via mailop wrote:

On 2026-05-26 at 12:05 +0200, Alessandro Vesely via mailop wrote:

(...)
The script's characteristics are a good explanation. However, these amateurs don't attempt other logins to the same server; they limit themselves to a single attempt. Professional crackers, of whom I see a greater number, try several usernames on several servers, which is why they are repeatedly reported on AbuseIPDB. 


To me it does look like a user device. Maybe a phone or computer that 
was given away to a family member (a factory reset? why would users do 
that? 😛).




It can't be a used device.  They target two or three users (the third 
less frequently) and I see 4~5 attempts a day, some from "unlikely" 
locations like Apulia, Sardinia and Calabria.


OTOH, it cannot be a bot.  Bots are more noisy.


There must be something leaking email addresses, enticing random people 
to attempt to hack their mailboxes.  However, only the least targeted of 
these three subscribes to mailing lists;  the other media hide email 
addresses.  And then, is it a uniquely Italian trend to attempt a cyber 
attack once in a lifetime?




How regular are those attempts?
How does it behave during the night? And on working hours?




Most attempts are during the day.  A few ones around 5AM made me rise a 
brow.  An automated connection with a wrong password can make much more 
noise.




Does it ever overlap with an IP which does a valid LOGIN (e.g. a phone 
when on wifi)



Nope, I maintain a good-IP list.



If you are tiny enough, you could replace your usernames with something 
unique. E.g. you may require a username of d0252760-2ba5-4bfb-9e60- 
fca427bfea97 in order to login by imap* to [email protected] mailbox. 
A username of 'vesely' or '[email protected]' could be easily guessed. 
That one wouldn't. Thus, if it ever appears on your logs, you know for 
sure that comes from a once-valid device (...or configuration stolen 
from one!)




Yeah, I did that for a few users (including myself).  Not for the three 
targeted users; they have the same username and address.



They have decent passwords, so I'm not too worried about a successful 
attack.  But I cannot explain this...



Best
Ale
--






_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop






















					Reply via email to