My MercuryI logs show a number of instances of 'password failure' due to malicious IMAP login attempts. In some cases the user doesn't exist, in some cases the user is valid but the password is wrong (the logs show a previous dictionary attack to find valid names). So far as I know there have been no attempts that have correctly guessed the password but I would like to defend against them further.
I can/will make my passwords more complex, and possibly change the user names. I can't lock down the permitted hosts using Connection Control, as the IP allocated to mobile devices will change (and if I'm abroad, even the IP range will change). Is there any way to invoke an IP blacklist such as Spamhaus in Connection Control, as is done with MercuryS?
Thanks
[quote user="Chris Bolton"]
My MercuryI logs show a number of instances of 'password failure' due to malicious IMAP login attempts. In some cases the user doesn't exist, in some cases the user is valid but the password is wrong (the logs show a previous dictionary attack to find valid names). So far as I know there have been no attempts that have correctly guessed the password but I would like to defend against them further.
I can/will make my passwords more complex, and possibly change the user names. I can't lock down the permitted hosts using Connection Control, as the IP allocated to mobile devices will change (and if I'm abroad, even the IP range will change). Is there any way to invoke an IP blacklist such as Spamhaus in Connection Control, as is done with MercuryS?
Thanks
[/quote]
Mercury's IMAP server is doing exactly what it should - blocking invalid IMAP connection requests. So long as IMAP access to your mail accounts requires a password, and the people that use those accounts don't share those passwords, you have nothing to worry about. Not the solution you are after, but at least you know your accounts are secure.
In such cases something like fail2ban would be cool in Windows...
Do you really need direct access to the imap-server? If not then i suggest to use a VPN. This prevents also further problems, if the dictionary attack has success...
Thank you both for your replies and comments.
Greenman, that's as I thought, but it's only by following up possible vulnerabilities that I educate myself. I'm not seriously worried at this stage, but if I can make things more secure, why not do so?
Sellerie, it had occurred to me that an application to do what fail2ban does would be useful, but I wasn't aware of it. Find the right search string for something you don't know the name of is always hard, but starting from fail2ban I've found several similar for Windows, and will test them. I'm sorry, but I don't follow what you mean by direct access. Regarding a VPN, are you suggesting I host a VPN on the server so that IMAP clients must log in to the VPN?
