Im operating a mail server which handles email flows from multiple domains (20 domains). The server is under a massive IMAPS (%%port:993%%) scan for a few days. More details about the ongoing attack:

  • Some logins are valid
  • Some logins seemto be part of a dictionary
  • Some logins are old or unused (like scraped from web pages)
  • Some logins have a format [email protected], other just the user" />

    There is an OSSEC active-response[1] with the repeated_offender">%%ip:

    Someone else has already detected the same kind of scan?


    Xavier Mertens (@xme)
    ISC Handler - Freelance Security Consultant
    PGP Key

    (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status