Brute-force protection for Internet Message Access Protocol (IMAP). How to stop repeating failed login attempts to IMAP service.

IMAP Brute-Force Protection.

Internet Message Access Protocol (IMAP) is one of the most popular protocols for email retrieval nowadays. Almost every mail server supports IMAP.

Anyone is able to download ready-to-go tools and start abusing your server's resources. Being so popular, it's no surprise that this protocol becomes the target for brute-force attacks very often - the Internet is full of tools for IMAP brute-forcing. Anyone is able to download ready-to-go tools and start abusing your server's resources.

If you are running IMAP on your server, you may notice thousands of repeating entries in your logs like the one below:

#Software: MailEnable IMAP Server
#Version: 1.2
#Date: 03/31/18 00:00:08
#Fields: date time c-ip agent account cs-username s-ip s-port cs-method cs-uristem cs-uriquery s-computername sc-bytes cs-bytes time-taken
31-03-13 06:26:01 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 5216 AUTHENTICATE cXdlcnR5 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4282
31-03-13 06:42:00 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 7156 AUTHENTICATE cXdlcnR5 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4290
31-03-13 06:49:43 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 4876 AUTHENTICATE cGFzc3cw 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4297
31-03-13 07:08:15 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 4876 AUTHENTICATE cGFzc3cw 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4297
31-03-13 07:15:41 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 5548 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4281
31-03-13 07:26:32 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 6580 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4288
31-03-13 07:29:59 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 3636 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4298
31-03-13 07:31:53 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 6828 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4313
31-03-13 07:32:29 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 5148 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4328
31-03-13 07:34:32 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 6916 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4281
31-03-13 07:40:37 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 4160 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4300
31-03-13 07:41:41 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 3568 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4281
31-03-13 07:42:47 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 6320 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4268
31-03-13 07:43:13 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 3568 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4282
31-03-13 07:47:10 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 4172 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4312
31-03-13 07:49:54 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 2288 AUTHENTICATE c29jY2Vy 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4268
31-03-13 07:52:03 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 5036 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4281
31-03-13 07:55:31 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 6728 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4282
31-03-13 07:58:03 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 5096 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4328
31-03-13 07:58:32 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 6256 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4285
31-03-13 08:00:48 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 7484 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4301
31-03-13 08:06:12 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 4332 AUTHENTICATE Tgd7dgw3 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4280
31-03-13 08:07:37 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 8948 AUTHENTICATE YW50aG9u 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4313
31-03-13 08:08:02 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 8552 AUTHENTICATE aW5mb0Bo 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4297
31-03-13 08:08:22 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 8948 AUTHENTICATE aW5mb0Bp 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4297
31-03-13 08:09:52 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 9008 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4289
31-03-13 08:13:53 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 4944 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4301
31-03-13 08:16:36 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 4988 AUTHENTICATE Y2F0Y2F0 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4312
31-03-13 08:17:39 185.222.209.113 IMAP-IN contoso.com - 66.249.66.134 7344 AUTHENTICATE amVzc2ll 2+NO+AUTHENTICATE+LOGIN+failed+-+Invalid+username+or+password. WIN-MN0B8V95FLF 64 0 4297

Those repeating failed login attempts are actually brute-force attacks on your IMAP service. These attacks consume your server's resources such as bandwidth, RAM, CPU, and free disk space.

If some of your IMAP users have weak passwords, attackers may succeed in brute-forcing their way into the user's mailbox and gain unauthorized access to their emails and other personal information.

RdpGuard provides effective protection for your IMAP server against brute-force attacks by detecting invalid login attempts and automatically blocking the attacker's IP address.

RdpGuard is compatible with all IMAP server software, making it a versatile solution for protecting your email service.

RdpGuard monitors the IMAP port(s) or logs on your server and detects failed login attempts. When the number of failed login attempts from a single IP address reaches a pre-set limit (by default, three), RdpGuard automatically blocks the attacker's IP address.

For Windows Vista/7/8/8.1/10/11 and Windows Server 2008/2012/2016/2019/2022

"This sotware is really great. It's a relief. Because my server is constantly under attack. Thanks RdpGuard" - Joaquim De Sousa Marques

"Nice product. I used to implement something similiar in a low-tech and cumbersome manner via a script called TSBlock (not mine). This makes it much easier and is well worth the pricetag for SMB's." - J. Johnson

"Absolutely amazed at your product. We are a church in the North Dallas area, and I discovered this morning multiple failed logon attempts via our Remote Access Server. A friend suggested your product, so I immediately downloaded the trial. It had a list of about five blocked IP addresses in minutes, and that was enough to lead me to push the BUY button. Over the past 10-15 minutes the list is now about thirty with at least a third being international attempts to break into our system. Thanks for a great product. You may have just saved us much grief." - John Hallford

"Love the software. RDP on our Windows servers is just ridiculous. We would block it in the router but we have lots of old-time customers that would have issues." - Scott Hirsch

"Love the software! Makes it easier than tailoring VB Scripts!!" - Nick Brennan

"It's a great product - really stopping those RDP attackers :-)" - Dave, UK

"First of all: Your application is very (!!!) useful and I like it very much securing my 2012 R2 server. RdpGuard is the best solution, I found on the market and after 10 minutes of testing it I ordered the fully-featured version. :-)" - Carsten Baltes

IMAP Brute-Force Protection.

See Also