I believe I have things under control, but was wondering why anyone would try to hack/crack into an IMAP server? I have a server that gets many ‘unknown user’ attempts per hour. All one could do if successful is read/delete email messages. Why do they bother?

I’ve set up fail2ban to jail IPs after one failed attempt…for 24 hours. There are currently 224 jailed IPs…so 224 attempts in the last 24 hours.

Thoughts?

Depends on where you work as far as what they want to read...anything with user information that could be used for identity theft would be a good target, along with any banking info. Past that, they could be looking to use your IMAP server to shovel out spam messages, so that when YOU get banned/blocked/blacklisted, they just move to another server, leaving you to deal with the mess.

A scam recently reported involving faked email.

Or it is possible that your are experiencing random port scans, in which wannabe hackers keep trying doors hoping to find ones that are unlocked. They are extremely common.

The count dropped off to around 150, then crept back up to over 200. Just for fun, I’ve set the jail time to 10 days. Wonder how many IPs will be jailed in that time?

The hackers make two attempts in a minute with the same bogus user but from two different IP addresses. They do that every few minutes, averaging 10-12 attempts per hour. Since each IP is immediately jailed, they aren’t used (don’t get through) more than once. Has crept up to 300+ while composing this…

Why not rope off the server with libwrap so they can't even swing at it or do you have clients all over? All those attempts and blocks are still using resources. Plus, attackers rent out VPSs off large cloud providers nowadays. They dirty up an IP, and then move on quickly so your block-by-IP isn't doing much good. The days of one-IP-one-bad-guy ended 12 (or more) years ago. I'd be willing to bet most of them don't even have a domain name set and are from Linode or Digital Ocean.

Email username/password pairs are often sold in bulk on the darknet.

2 members found this post helpful.

I don’t actually have any paying clients anymore, having just retired from the business of hosting domains and building applications.. There are only three active mail users on the server: me, my wife and one of our daughters, so yes, I could use tcp wrappers…although we all currently connect with dynamic IPs. Still, I know what those are, and have even configured fail2ban to never block them.

I do still host some family and “public service” websites, and am a domain registration reseller. I’m currently mulling over if and how best to continue these “hobbies.” Meantime I can tinker with things like jailing hundreds of IPs.

Six days in…1059 IPs blocked. Number of attempts has dropped considerably…only eight in the last 24 hours.

I'm not sure if they know it's an imap server and want to hack it. They may have different goals.

224 attempts in 24 hours is definitely a lot in numbers.

with Fail2ban, you are already making it hard for attackers to succeed. This will prevent attacks where someone keeps trying different passwords.

1. check if someone has a list of email addresses and passwords.
2. someone might be targeting your server for access
3. attacker might be looking for inactive email accounts

Because this is a massive issue, if they can read someone's e-mail messages they can read password reset e-mails / links / 2FA codes. Can also read any notifications they've had, so get a good guess at what services the person is signed up for.

Being able to read someone's e-mail messages is by far the biggest security risk in terms of identity theft.

not to mention the case when they know you're on vacation and no one is home.
They can collect a huge amount of information from your mails, including accounts, cards, whatever is available. And they can also use your mail (communicate) instead of you.

The count jailed peaked yesterday (the 10th day) at 1100. Has dropped to 750-ish now.

They are attacking the imap port, and they are trying email addresses. The user ID is logged, and often repeated.

While the chances of anyone breaking into one of your imap accounts, and then getting to actually use it for anything, is rather slim ...

It is possible that "they" are someone working for one of the spam-control lists, who is not so good or saintly. With their intent being that if they can break in at all, ever, they can exxagerate that your imap server has weak security making it some haven for spammers. And then quite-legally harass and extort you under the threat of spam filtering your whole email domain off the net.

It has happened before, so why not again?