James Brown
2017-Nov-13 03:47 UTC
IMAP connections with ".eml" in the username - bot attack.
We are seeing lots of IMAP login attempts like this: dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118, or dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml at bordo.com.au>, method=PLAIN, rip=37.235.28.229, etc. We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them. We are running Sophos UTM firewall but that has no IMAP Proxy and never will. Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish? Any ideas on how to mitigate it? Thanks, James.
Sami Ketola
2017-Nov-13 06:21 UTC
IMAP connections with ".eml" in the username - bot attack.
> On 13 Nov 2017, at 5.47, James Brown <jlbrown at bordo.com.au> wrote: > > We are seeing lots of IMAP login attempts like this: > > dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118, > > or > > dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml at bordo.com.au>, method=PLAIN, rip=37.235.28.229, > > etc. > > We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them. > > We are running Sophos UTM firewall but that has no IMAP Proxy and never will. > > Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish? > > Any ideas on how to mitigate it?If the attempts really all come from different source ip addresses and the username attempted is always *.eml (and you don't have any real users with username ending in .eml), maybe you could just create deny-passdb with username_filter *.eml? passdb { driver = static deny = yes username_filter = *.eml args } as your first passdb Sami
Sami Ketola
2017-Nov-13 06:22 UTC
IMAP connections with ".eml" in the username - bot attack.
> On 13 Nov 2017, at 8.21, Sami Ketola <sami.ketola at dovecot.fi> wrote: > >> >> On 13 Nov 2017, at 5.47, James Brown <jlbrown at bordo.com.au> wrote: >> >> We are seeing lots of IMAP login attempts like this: >> >> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118, >> >> or >> >> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml at bordo.com.au>, method=PLAIN, rip=37.235.28.229, >> >> etc. >> >> We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them. >> >> We are running Sophos UTM firewall but that has no IMAP Proxy and never will. >> >> Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish? >> >> Any ideas on how to mitigate it? > > If the attempts really all come from different source ip addresses and the username attempted > is always *.eml (and you don't have any real users with username ending in .eml), maybe you > could just create deny-passdb with username_filter *.eml? > > passdb { > driver = static > deny = yes > username_filter = *.eml > args > } > > as your first passdbforgot to mention that username_filter feature requires dovecot 2.2.30+ Sami
Sean Greenslade
2017-Nov-13 06:23 UTC
IMAP connections with ".eml" in the username - bot attack.
On Mon, Nov 13, 2017 at 02:47:00PM +1100, James Brown wrote:> We are seeing lots of IMAP login attempts like this: > > dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118, > > or > > dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml at bordo.com.au>, method=PLAIN, rip=37.235.28.229, > > etc. > > We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them. > > We are running Sophos UTM firewall but that has no IMAP Proxy and never will. > > Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish? > > Any ideas on how to mitigate it? > > Thanks, > > James.Wild guess: A spammer misconfigured their spambot? Unless you have any usernames in your system that are formatted like that, it'll never get in, so I wouldn't worry about it. Assuming you have sensible rate limits on IMAP logins in place (e.g. https://wiki.dovecot.org/Authentication/Penalty ), there's nothing more to do. Just laugh it off as another oddity of being a mail admin. Here's a fun laugh I found in one of my webserver logs:> 1446098745 218.249.219.2 "GET http://www.sciencedirect.com/science/book/9780123525512" 400 425 "" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"Not my website, nothing even close to that url is hosted on that server. I'm surprised a bot would pretend to be Internet Explorer 4 on Windows 95. Go figure... --Sean