On Mon, 3 Aug 2009 21:31:05 +0000 (UTC) Stuart Henderson <s...@spacehopper.org> wrote:
> On 2009-08-03, Eric <rabbitearcr...@gmail.com> wrote: > > I'm suddenly seeing numbers of various computers trying > > to log on imap on my mail server. > > > > I've never noticed this before. Is there a new > > vulnerability out there someone is trying to exploit? > > IME it's normal background noise for the internet.. > Usually I see about 1-3 attempts to log onto IMAP accounts a month. And those are always or nearly always for role account names. If there are exceptions, it is for common account names. What is most unusual is that these accounts are all either current accounts or former accounts that were removed: * Two accounts were removed years ago * One account was one that I thought I had removed, but missed. The user moved a couple of years ago. * Another account was that of a woman who passed away farily recently. The account is still there in case her husband wants to use it even though he's never shown any interest in the Internet. The other accounts tried are all current. Also, most of the users involved either mentioned or complained about the amount of spam they were getting at one time or another. The attempts came from a number of different IP addresses. Some were from colocation companies and some appeared to be from dynamically assigned addresses at ISPs. From the reverse lookup, one IP address used was a web server. > The things you can do in PF to mitigate SSH brute forcing > (max-src-conn-rate etc) can be used here too, but must be > done carefully as legitimate clients make multiple > connections. I thought about doing that. Since we have a limited number of users on the machine and only one or two ever use IMAP remotely, I blocked non-local IMAP access for a while this morning. After I unblocked it about 11 am, there have been no more attempts. Because of the difference in patterns, i.e. multiple tries from different IP addresses in the same evening and morning and because it used actual account names that are either in use or were in use and have had spam problems, I think that this is quite different than the usual background noise. Perhaps a spammer is looking for legitimate mail servers to use for their spam runs. Eric
