Im operating a mail server which handles email flows from multiple domains (20 domains). The server is under a massive IMAPS (%%port:993%%) scan for a few days. More details about the ongoing attack:
- Some logins are valid
- Some logins seemto be part of a dictionary
- Some logins are old or unused (like scraped from web pages)
- Some logins have a format user@domain.tld, other just the user" />
There is an OSSEC active-response[1] with the repeated_offender">%%ip:151.253.48.108%%
Someone else has already detected the same kind of scan?
[1]http://ossec-docs.readthedocs.io/en/latest/manual/ar/
Xavier Mertens (@xme)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC Handler - Freelance Security Consultant
PGP Key