Joseph Tam
2017-Nov-14 07:17 UTC
IMAP connections with ".eml" in the username - bot attack.
James Brown writes:> We are seeing lots of IMAP login attempts like this: > > dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118, > dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml at bordo.com.au>, method=PLAIN, rip=37.235.28.229, > > etc. > Is anyone else experiencing this? How is such an attack is supposed to > ever succeed? What are they trying to accomplish?Haven't seen it. I agree with another poster -- probably a spammer screwed up their spamware configuration.> Any ideas on how to mitigate it?Mitigate what? Even by your account, this won't get them anywhere, unless it's so fast and heavy, it's DoS'ing your system. Other than that, they're just bloating your logs, nothing more. If you want to pre-empt this via firewall, you'll need to get extremely lucky to characterise these IPs (a sample of 2 is not enough) in such a way as to able to formulate a firewall rule. Mostly likely, this is a rented botnet. If you somehow figure out an oracular rule to discern bot from some user road-warrior *before* they connect, give me a call. Sean Greenslade <sean at seangreenslade.com> writes:> Here's a fun laugh I found in one of my webserver logs: > >> 1446098745 218.249.219.2 "GET http://www.sciencedirect.com/science/book/9780123525512" 400 425 "" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" > > Not my website, nothing even close to that url is hosted on that server.Common proxy target. They're testing whether your web server will support anonymous web proxying. Almost exclusively from China. Joseph Tam <jtam.home at gmail.com>