Brute force on [email protected]?

Markif · May 20, 2018

Hello,
I see in /var/log/maillog repeating IMAP attempts to the "mailer-daemon" user of a domain.
Is this something to worry about,
or is this just a robot making errors...
example

Code:

-----
May 19 03:40:09 is30 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 14 secs): user=<[email protected]***>, method=PLAIN, rip=***, lip=***, TLS, session=<8GJEJYVssQQFvAmR>
May 19 03:40:24 is30 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 14 secs): user=<[email protected]***>, method=PLAIN, rip=***, lip=***, TLS, session=<kZ4rJoVsgEtcP8E3>
-----

Thanks,
Marco

cPanelMichael · May 21, 2018

Hello Marco,

It looks like a failed login attempt that you can safely ignore. Can you verify if the IP addresses you removed from the log output are remote or local IP addresses?

Thank you.

Markif · May 22, 2018

Hello,

rip is a always changing remote IP, lip is the server IP

Thank you,
Marco

cPanelMichael · May 22, 2018

Hello Marco,

In that case, it's just showing you a failed authentication attempt with that username from that IP address. You could block the IP address in your firewall if you'd like to prevent it from making additional authentication attempts.

Thank you.

Thread starter	Similar threads	Forum	Replies	Date
M	A Single EMAIL ID is repeatedly exposed to Brute Force	Email	1	Jul 16, 2021
A	Stop brute force email logins?	Email	6	Apr 20, 2019
A	How to prevent host from bruteforce?	Email	3	Jul 13, 2018
	Question about SMTP brute force	Email	29	Nov 30, 2015
H	SMTP Auth Failure - Brute Force Attack - Blocking	Email	18	Feb 24, 2015

Search

Search

Brute force on [email protected]?

Markif

Well-Known Member

cPanelMichael

Administrator

Markif

Well-Known Member

cPanelMichael

Administrator