Last Updated: 2016-09-10 07:07:37 UTC
by Xavier Mertens (Version: 1)
I'm operating a mail server which handles email flows from multiple domains (<20 domains). The server is under a massive IMAPS (port 993) scan for a few days. More details about the ongoing attack:
- Some logins are valid
- Some logins seem to be part of a dictionary
- Some logins are old or unused (like scraped from web pages)
- Some logins have a format 'firstname.lastname@example.org', other just the 'user'
[Update: some IP addresses are also testing SMTP AUTH]
There is a strong password policy in place and no credentials were compromized. This is not a brute-force attack, connection attempts are coming by waves. The only impact until now was a pollution of my logs!
There is an OSSEC active-response with the 'repeated_offender' feature enabled (at 30, 60, 120, 240, 480 minutes) but new IP addresses are always detected (like being part of a bot):
I searched for more information about the offending IP addresses, they do not seem to belong to a known botnet. They are not Tor exit-nodes. Here is the top-10 of active IP addresses:
Someone else has already detected the same kind of scan?
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant