IMAP connections with ".eml" in the username - bot attack.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

IMAP connections with ".eml" in the username - bot attack.

James Brown
We are seeing lots of IMAP login attempts like this:

dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118,

or

dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[hidden email]>, method=PLAIN, rip=37.235.28.229,

etc.

We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.

We are running Sophos UTM firewall but that has no IMAP Proxy and never will.

Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?

Any ideas on how to mitigate it?

Thanks,

James.
Reply | Threaded
Open this post in threaded view
|

Re: IMAP connections with ".eml" in the username - bot attack.

Sami Ketola

> On 13 Nov 2017, at 5.47, James Brown <[hidden email]> wrote:
>
> We are seeing lots of IMAP login attempts like this:
>
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118,
>
> or
>
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[hidden email]>, method=PLAIN, rip=37.235.28.229,
>
> etc.
>
> We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.
>
> We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
>
> Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?
>
> Any ideas on how to mitigate it?

If the attempts really all come from different source ip addresses and the username attempted
is always *.eml (and you don't have any real users with username ending in .eml), maybe you
could just create deny-passdb with username_filter *.eml?

passdb {
  driver = static
  deny = yes
  username_filter = *.eml
  args =
}

as your first passdb

Sami
Reply | Threaded
Open this post in threaded view
|

Re: IMAP connections with ".eml" in the username - bot attack.

Sami Ketola

> On 13 Nov 2017, at 8.21, Sami Ketola <[hidden email]> wrote:
>
>>
>> On 13 Nov 2017, at 5.47, James Brown <[hidden email]> wrote:
>>
>> We are seeing lots of IMAP login attempts like this:
>>
>> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118,
>>
>> or
>>
>> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[hidden email]>, method=PLAIN, rip=37.235.28.229,
>>
>> etc.
>>
>> We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.
>>
>> We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
>>
>> Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?
>>
>> Any ideas on how to mitigate it?
>
> If the attempts really all come from different source ip addresses and the username attempted
> is always *.eml (and you don't have any real users with username ending in .eml), maybe you
> could just create deny-passdb with username_filter *.eml?
>
> passdb {
>  driver = static
>  deny = yes
>  username_filter = *.eml
>  args =
> }
>
> as your first passdb

forgot to mention that username_filter feature requires dovecot 2.2.30+

Sami
Reply | Threaded
Open this post in threaded view
|

Re: IMAP connections with ".eml" in the username - bot attack.

Sean Greenslade
In reply to this post by James Brown
On Mon, Nov 13, 2017 at 02:47:00PM +1100, James Brown wrote:

> We are seeing lots of IMAP login attempts like this:
>
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118,
>
> or
>
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[hidden email]>, method=PLAIN, rip=37.235.28.229,
>
> etc.
>
> We are running fail2ban, but as each login attempt is from a different IP it is not able to stop them.
>
> We are running Sophos UTM firewall but that has no IMAP Proxy and never will.
>
> Is anyone else experiencing this? How is such an attack is supposed to ever succeed? What are they trying to accomplish?
>
> Any ideas on how to mitigate it?
>
> Thanks,
>
> James.

Wild guess: A spammer misconfigured their spambot? Unless you have any
usernames in your system that are formatted like that, it'll never get
in, so I wouldn't worry about it. Assuming you have sensible rate limits
on IMAP logins in place (e.g.
https://wiki.dovecot.org/Authentication/Penalty ), there's nothing more
to do. Just laugh it off as another oddity of being a mail admin.

Here's a fun laugh I found in one of my webserver logs:

> 1446098745 218.249.219.2 "GET http://www.sciencedirect.com/science/book/9780123525512" 400 425 "" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"

Not my website, nothing even close to that url is hosted on that server.
I'm surprised a bot would pretend to be Internet Explorer 4 on Windows
95. Go figure...

--Sean
Reply | Threaded
Open this post in threaded view
|

Re: IMAP connections with ".eml" in the username - bot attack.

Joseph Tam-2
In reply to this post by James Brown
James Brown writes:

> We are seeing lots of IMAP login attempts like this:
>
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118,
> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[hidden email]>, method=PLAIN, rip=37.235.28.229,
>
> etc.
> Is anyone else experiencing this? How is such an attack is supposed to
> ever succeed? What are they trying to accomplish?

Haven't seen it.  I agree with another poster -- probably a spammer screwed
up their spamware configuration.

> Any ideas on how to mitigate it?

Mitigate what?  Even by your account, this won't get them anywhere, unless it's
so fast and heavy, it's DoS'ing your system.  Other than that, they're just bloating
your logs, nothing more.

If you want to pre-empt this via firewall, you'll need to get extremely lucky to
characterise these IPs (a sample of 2 is not enough) in such a way as to able to
formulate a firewall rule.  Mostly likely, this is a rented botnet.  If you somehow
figure out an oracular rule to discern bot from some user road-warrior *before*
they connect, give me a call.

Sean Greenslade <[hidden email]> writes:

> Here's a fun laugh I found in one of my webserver logs:
>
>> 1446098745 218.249.219.2 "GET http://www.sciencedirect.com/science/book/9780123525512" 400 425 "" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
>
> Not my website, nothing even close to that url is hosted on that server.

Common proxy target.  They're testing whether your web server will support
anonymous web proxying.  Almost exclusively from China.

Joseph Tam <[hidden email]>