IMAP Spike
Question asked by Ryan Wittenauer - December 6 at 9:47 AM
Unanswered
Hi All,

Has anyone noticed a spike in IMAP connections starting around November 18th?
We noticed our hourly connections spiking from ~8000 to ~12000
Tried looking into if it might have been an iOS or Android update, can't see a correlation.

3 Replies

Reply to Thread
0
Tim Uzzanti Replied
Employee Post
Most likely your being attacked.

If your using 16.x or the most recent Build, you can look at Connections in the Manage Section.  See if you have many requests coming from a specific IP or if their distributed.  For the health of your Mail Server you should attempt to block as much as you can on a Firewall or Networking device.  If you can't do that, use SmarterMail's blocking. For future attacks you can configure IDS rules to catch and do these on the fly as well.  

Clearly I'm stabbing in the dark based on the information but wanted to give you some ideas.  If you Maintenance and Support, our support team can help you as well.
Tim Uzzanti
CEO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Scarab Replied
Actually Tim isn't wrong. We've been seeing far more Brute-Force attacks over IMAP than SMTP lately. I guess Brute-Force bots run under the assumption that IMAP is less protected or watched than SMTP.

Also, this could happen if you have a large number of Apple users. We've seen weird things going on with the way Apple Mail for MacOS and iOS handles IMAP since an Apple update released in the first week of November (among other problems, like removing the @domain.tld from the username in existing Mail settings...that was a customer support nightmare). In particular, Apple Mail has been opening a new IMAP session and re-authenticating for every folder & sub-folder, and opening a new IMAP session every 5-30 seconds (instead of 5, 10, 15, 30 minute intervals) and never closing existing sessions. The average Apple user on our SmarterMail installation has @ 70 open IMAP sessions at any given point in time (up from an average of @ 26 IMAP connections before the early November update). They add up quick if you have a significant number of Apple users.
0
Ryan Wittenauer Replied
Tim,

Appreciate the response, we have a ticket open and it is being looked at, we recently changed our IMAP IDS and POP IDS rules to be a little more strict.

Scarab,

We wondered if it related to some kind of iOS change, the odd thing is that we see a random IP open 60-80 connections, and that is it. They open a connection and let it sit, then close it out and reopen. The logs for these IP's (Some of them cell IP's, some of them are major ISP's) just show connections opening and closing, no IMAP commands.

Reply to Thread