Community Discussions and Support
Malicious IMAP login attempts

Apparently there's wail2ban...

 

https://alternativeto.net/software/fail2ban/?platform=windows 

<p>Apparently there's wail2ban...</p><p> </p><p>https://alternativeto.net/software/fail2ban/?platform=windows </p>

My MercuryI logs show a number of instances of 'password failure' due to malicious IMAP login attempts. In some cases the user doesn't exist, in some cases the user is valid but the password is wrong (the logs show a previous dictionary attack to find valid names). So far as I know there have been no attempts that have correctly guessed the password but I would like to defend against them further.

I can/will make my passwords more complex, and possibly change the user names. I can't lock down the permitted hosts using Connection Control, as the IP allocated to mobile devices will change (and if I'm abroad, even the IP range will change). Is there any way to invoke an IP blacklist such as Spamhaus in Connection Control, as is done with MercuryS?

Thanks

<p>My MercuryI logs show a number of instances of 'password failure' due to malicious IMAP login attempts. In some cases the user doesn't exist, in some cases the user is valid but the password is wrong (the logs show a previous dictionary attack to find valid names). So far as I know there have been no attempts that have correctly guessed the password but I would like to defend against them further. </p><p>I can/will make my passwords more complex, and possibly change the user names. I can't lock down the permitted hosts using Connection Control, as the IP allocated to mobile devices will change (and if I'm abroad, even the IP range will change). Is there any way to invoke an IP blacklist such as Spamhaus in Connection Control, as is done with MercuryS? </p><p>Thanks </p>

[quote user="Chris Bolton"]

My MercuryI logs show a number of instances of 'password failure' due to malicious IMAP login attempts. In some cases the user doesn't exist, in some cases the user is valid but the password is wrong (the logs show a previous dictionary attack to find valid names). So far as I know there have been no attempts that have correctly guessed the password but I would like to defend against them further.

I can/will make my passwords more complex, and possibly change the user names. I can't lock down the permitted hosts using Connection Control, as the IP allocated to mobile devices will change (and if I'm abroad, even the IP range will change). Is there any way to invoke an IP blacklist such as Spamhaus in Connection Control, as is done with MercuryS?

Thanks

[/quote]

Mercury's IMAP server is doing exactly what it should - blocking invalid IMAP connection requests. So long as IMAP access to your mail accounts requires a password, and the people that use those accounts don't share those passwords, you have nothing to worry about. Not the solution you are after, but at least you know your accounts are secure.

[quote user="Chris Bolton"]<p>My MercuryI logs show a number of instances of 'password failure' due to malicious IMAP login attempts. In some cases the user doesn't exist, in some cases the user is valid but the password is wrong (the logs show a previous dictionary attack to find valid names). So far as I know there have been no attempts that have correctly guessed the password but I would like to defend against them further. </p><p>I can/will make my passwords more complex, and possibly change the user names. I can't lock down the permitted hosts using Connection Control, as the IP allocated to mobile devices will change (and if I'm abroad, even the IP range will change). Is there any way to invoke an IP blacklist such as Spamhaus in Connection Control, as is done with MercuryS? </p><p>Thanks </p><p>[/quote]</p><p>Mercury's IMAP server is doing exactly what it should - blocking invalid IMAP connection requests. So long as IMAP access to your mail accounts requires a password, and the people that use those accounts don't share those passwords, you have nothing to worry about. Not the solution you are after, but at least you know your accounts are secure.</p>

In such cases something like fail2ban would be cool in Windows...


Do you really need direct access to the imap-server? If not then i suggest to use a VPN. This prevents also further problems, if the dictionary attack has success...

<p><span style="font-size: 10pt;">In such cases something like fail2ban would be cool in Windows...</span></p><p><span style="font-size: 10pt;"> </span></p><p><span style="font-size: 10pt;">Do you really need direct access to the imap-server? </span><span style="font-size: 10pt;">If not then i suggest to use a VPN. This prevents also further problems, if the dictionary attack has success...</span></p>

Thank you both for your replies and comments.

Greenman, that's as I thought, but it's only by following up possible vulnerabilities that I educate myself. I'm not seriously worried at this stage, but if I can make things more secure, why not do so?

Sellerie, it had occurred to me that an application to do what fail2ban does would be useful, but I wasn't aware of it. Find the right search string for something you don't know the name of is always hard, but starting from fail2ban I've found several similar for Windows, and will test them. I'm sorry, but I don't follow what you mean by direct access. Regarding a VPN, are you suggesting I host a VPN on the server so that IMAP clients must log in to the VPN?

<p>Thank you both for your replies and comments. </p><p>Greenman, that's as I thought, but it's only by following up possible vulnerabilities that I educate myself. I'm not seriously worried at this stage, but if I can make things more secure, why not do so?</p><p>Sellerie, it had occurred to me that an application to do what fail2ban does would be useful, but I wasn't aware of it. Find the right search string for something you don't know the name of is always hard, but starting from fail2ban I've found several similar for Windows, and will test them. I'm sorry, but I don't follow what you mean by direct access. Regarding a VPN, are you suggesting I host a VPN on the server so that IMAP clients must log in to the VPN? </p>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft