Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Ongoing IMAP Scan, Anyone Else? - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Ongoing IMAP Scan, Anyone Else?

I'm operating a mail server which handles email flows from multiple domains (<20 domains). The server is under a massive IMAPS (port 993) scan for a few days. More details about the ongoing attack:

  • Some logins are valid
  • Some logins seem to be part of a dictionary
  • Some logins are old or unused (like scraped from web pages)
  • Some logins have a format 'user@domain.tld', other just the 'user'

[Update: some IP addresses are also testing SMTP AUTH]

There is a strong password policy in place and no credentials were compromized. This is not a brute-force attack, connection attempts are coming by waves. The only impact until now was a pollution of my logs!

There is an OSSEC active-response[1] with the 'repeated_offender' feature enabled (at 30, 60, 120, 240, 480 minutes) but new IP addresses are always detected (like being part of a bot):

I searched for more information about the offending IP addresses, they do not seem to belong to a known botnet. They are not Tor exit-nodes. Here is the top-10 of active IP addresses:

Someone else has already detected the same kind of scan?


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Amsterdam August 2022


697 Posts
ISC Handler
Sep 10th 2016
Yep I see those too. Seems like the old linkedin accounts and others released are being checked.

1 Posts
We saw those IPs for a week or so at the end of June against smtp. Your turn to get all the attention I guess.

Sign Up for Free or Log In to start participating in the conversation!