> On 13 Nov 2017, at 8.21, Sami Ketola <sami.ket...@dovecot.fi> wrote: > >> >> On 13 Nov 2017, at 5.47, James Brown <jlbr...@bordo.com.au> wrote: >> >> We are seeing lots of IMAP login attempts like this: >> >> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): >> user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, >> method=PLAIN, rip=197.255.60.118, >> >> or >> >> dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): >> user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584....@bordo.com.au>, >> method=PLAIN, rip=37.235.28.229, >> >> etc. >> >> We are running fail2ban, but as each login attempt is from a different IP it >> is not able to stop them. >> >> We are running Sophos UTM firewall but that has no IMAP Proxy and never will. >> >> Is anyone else experiencing this? How is such an attack is supposed to ever >> succeed? What are they trying to accomplish? >> >> Any ideas on how to mitigate it? > > If the attempts really all come from different source ip addresses and the > username attempted > is always *.eml (and you don't have any real users with username ending in > .eml), maybe you > could just create deny-passdb with username_filter *.eml? > > passdb { > driver = static > deny = yes > username_filter = *.eml > args = > } > > as your first passdb
forgot to mention that username_filter feature requires dovecot 2.2.30+ Sami