My thinking is somewhat related to a thread on this list back in Oct
2017 (Subject: Slow botnet IMAP scans).
I've begun to observe IMAP searches initiated by our clients. We
experienced a DoS type of event some months ago against IMAP and it was
clear resource exhaustion related to IMAP search was the culprit.
Have other email sysadmin types here observed what looks like badguy
activity within mailboxes suspected to be compromised? The suspicion is
raised looking at accounts used to relay spam via SMTP AUTH, as well as
the source IPs for the SMTP and IMAP activities.
Based on my observations there's a few trends in the searches which have
emerged:
1) the search string is rarely, if ever, nested, nor has multiple conditions
2) the search string does not include "NOT DELETED" or "UNDELETED" and
therefore includes \Deleted messages
3) the search within BODY or FROM
4) The searches are for domains or @domains where the domain is usually
a service provider type of account (Steam, Blizzard, porn sites) or
financially related (Paypal, payment processing services, cryptocurrencies)
5) timing of consecutive searches for different strings is "impossibly
quick" for a human
6) (This one is less consistent) Often the IMAP client ID (RFC 2971) is
"Mail.dll", some dot.net library for all things email.
It seems fairly obvious why the badguys are doing this; a pwned mailbox
has all kinds of value in the realm of theft, identity or otherwise.
I'm curious if anyone else is observing this and if there are other bits
of telemetry you are looking for.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
