Brute force on mailer-daemon@domain?

Markif

• May 20, 2018 09:25

Hello, I see in /var/log/maillog repeating IMAP attempts to the "mailer-daemon" user of a domain. Is this something to worry about, or is this just a robot making errors... example ----- May 19 03:40:09 is30 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 14 secs): user=, method=PLAIN, rip=***, lip=***, TLS, session=<8GJEJYVssQQFvAmR> May 19 03:40:24 is30 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 14 secs): user=, method=PLAIN, rip=***, lip=***, TLS, session= -----
Thanks, Marco

• 

  cPanelMichael

  • May 21, 2018 18:04

  Hello Marco, It looks like a failed login attempt that you can safely ignore. Can you verify if the IP addresses you removed from the log output are remote or local IP addresses? Thank you.

  0
• 

  Markif

  • May 22, 2018 07:53

  Hello, rip is a always changing remote IP, lip is the server IP Thank you, Marco

  0
• 

  cPanelMichael

  • May 22, 2018 15:31

  Hello Marco, In that case, it's just showing you a failed authentication attempt with that username from that IP address. You could block the IP address in your firewall if you'd like to prevent it from making additional authentication attempts. Thank you.

  0

Please sign in to leave a comment.