Authenticated SMTP and IMAP authentication attacks and attempts we see here

September 17, 2022

A while back I wrote about how large scale SSH brute force attacks seem to have stopped here. SSH isn't the only form of authentication that we have exposed to the Internet; we also have both an IMAP server and an authenticated SMTP server, and unsurprisingly they also see activity. To my surprise, the activity patterns are quite different (which took some time to discover, since they both actually authenticate through Dovecot).

Our authenticated SMTP server sees widespread and determined probes from a wide range of IP addresses that appear to be attempting to brute force email addresses here; basically the kind of activity that I expected to see for SSH. However, many of these brute force attacks have no chance of success because they're being directed against either logins that no longer exist or email addresses that were never logins in the first place, and were only aliases or mailing lists. The obvious guess is that attackers targeting authenticated SMTP simply scrape every From: address from your domain that they can find and then set their hordes loose on brute force attacks.

(Over the past 7 days, the most targeted name is a mailing list, for over 18,000 attempts, and the next most targeted is an alias, for almost 4,000 attempts.)

The source IPs of these probes changes over time. Although some sources continue to probe us over a long time scale, it's more often to see a source active for a day or two (usually against more than one login name) and then go away. My guess is that either the attacker loses access to that IP or they lose interest in us and change targets for a while.

By contrast, our IMAP server sees only a very low level of what appear to be brute force attempts. Instead it sees an entirely different pattern, where it appears that people who once had logins here still have some devices that are attempting to log in to their IMAP accounts. The typical pattern is that a single IP or a few closely related IPs will make ongoing attempts to log in to a single previously-valid login name. These attempts can continue from the same IP for weeks. I'd like to say I'm surprised that there are any IMAP clients that would be this determined, but I'm not that optimistic about IMAP client quality. I find it entirely believable that there are clients who won't stop even after months of failure (and people who don't notice that an IMAP account doesn't work or even still exists).

(This elaborates on a tweet of mine about the IMAP situation.)

There's probably nothing we can sensibly do about these IMAP clients, and they're not doing us any harm (apart from cluttering up the logs). If we seemed to have attackers going after IMAP instead of authenticated SMTP I might be more worried about the log clutter, but as it is the extra IMAP stuff seems harmless. The clear attacker action is in authenticated SMTP, which leads to the guess that this is would be spammers looking for a way to send their spam.

Comments on this page:

By Miksa at 2022-09-19 05:26:49:

Have checked if any of the IPs with large amount of failed SMTP logins have succeeded with logins?

By cks at 2022-09-20 22:37:30:

I haven't tried to do that check, although it's a good idea. My assumption is that any attacker who succeeded in access would immediately use that access to spam (or at least somehow), but that's just an assumption. It's probably possible to put together some reasonably efficient log analysis that answers the question.

Written on 17 September 2022.
« The problem of network tunnels and (asymmetric) routing
I believe SELinux needs active support from your distribution »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Sep 17 22:00:12 2022
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.