IMAP Brute-Force Protection.
Internet Message Access Protocol (IMAP) is one of the most popular protocols for email retrieval nowadays.
Almost every mail server supports IMAP.
Anyone is able to download ready-to-go tools and start abusing your server's resources.
Being so popular, it's no surprise that this protocol becomes the target for brute-force attacks very often
- the Internet is full of tools for IMAP brute-forcing. Anyone is able to download ready-to-go tools
and start abusing your server's resources.
If you are running IMAP on your server, you may notice thousands of repeating entries in your logs like the one below:
#Software: MailEnable IMAP Server
#Version: 1.2
#Date: 03/31/18 00:00:08
#Fields: date time c-ip agent account cs-username s-ip s-port cs-method cs-uristem cs-uriquery s-computername sc-bytes cs-bytes time-taken
31-03-13 06:26:01 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 5216 AUTHENTICATE cXdlcnR5 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4282
31-03-13 06:42:00 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 7156 AUTHENTICATE cXdlcnR5 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4290
31-03-13 06:49:43 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 4876 AUTHENTICATE cGFzc3cw 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4297
31-03-13 07:08:15 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 4876 AUTHENTICATE cGFzc3cw 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4297
31-03-13 07:15:41 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 5548 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4281
31-03-13 07:26:32 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 6580 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4288
31-03-13 07:29:59 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 3636 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4298
31-03-13 07:31:53 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 6828 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4313
31-03-13 07:32:29 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 5148 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4328
31-03-13 07:34:32 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 6916 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4281
31-03-13 07:40:37 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 4160 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4300
31-03-13 07:41:41 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 3568 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4281
31-03-13 07:42:47 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 6320 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4268
31-03-13 07:43:13 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 3568 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4282
31-03-13 07:47:10 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 4172 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4312
31-03-13 07:49:54 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 2288 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4268
31-03-13 07:52:03 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 5036 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4281
31-03-13 07:55:31 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 6728 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4282
31-03-13 07:58:03 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 5096 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4328
31-03-13 07:58:32 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 6256 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4285
31-03-13 08:00:48 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 7484 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4301
31-03-13 08:06:12 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 4332 AUTHENTICATE Tgd7dgw3 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4280
31-03-13 08:07:37 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 8948 AUTHENTICATE YW50aG9u 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4313
31-03-13 08:08:02 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 8552 AUTHENTICATE aW5mb0Bo 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4297
31-03-13 08:08:22 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 8948 AUTHENTICATE aW5mb0Bp 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4297
31-03-13 08:09:52 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 9008 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4289
31-03-13 08:13:53 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 4944 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4301
31-03-13 08:16:36 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 4988 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4312
31-03-13 08:17:39 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 7344 AUTHENTICATE amVzc2ll 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4297
Those repeating failed login attempts are actually brute-force attacks on your IMAP service. These attacks consume your server's resources
such as bandwidth, RAM, CPU, and free disk space.
If some of your IMAP users have weak passwords , attackers may succeed in brute-forcing their way into the user's
mailbox and gain unauthorized access to their emails and other personal information.
RdpGuard
provides effective protection for your IMAP server against brute-force attacks by detecting invalid login
attempts and automatically blocking the attacker's IP address.
RdpGuard is compatible with all IMAP server software ,
making it a versatile solution for protecting your email service.
RdpGuard monitors the IMAP port(s) or logs on your server and detects failed login attempts.
When the number of failed login attempts from a single IP address reaches a pre-set limit (by default, three),
RdpGuard automatically blocks the attacker's IP address .
Download RdpGuard to stop Brute-Force Attacks on your IMAP Server!
For Windows Vista/7/8/8.1/10/11 and Windows Server 2008/2012/2016/2019/2022
See Also
How to enable and configure IMAP Brute-Force Protection