Im operating a mail server which handles email flows from multiple domains (20 domains). The server is under a massive IMAPS (%%port:993%%) scan for a few days. More details about the ongoing attack:

  • Some logins are valid
  • Some logins seemto be part of a dictionary
  • Some logins are old or unused (like scraped from web pages)
  • Some logins have a format [email protected], other just the user" />

    There is an OSSEC active-response[1] with the repeated_offender">%%ip:151.253.48.108%%

    Someone else has already detected the same kind of scan?

    [1]http://ossec-docs.readthedocs.io/en/latest/manual/ar/

    Xavier Mertens (@xme)
    ISC Handler - Freelance Security Consultant
    PGP Key

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status