Our GWIAs are (were) under constant brute force attacks from the internet. We've got over 3000 mailbox lockout over IMAP protocol every day. So I went ahead and tried to write a small script to find the IP address of those attackers and block them for a day or so. This turned out to be impossible, because at the moment it is very cumbersome to get the information of a failed login attempt in GWIA logs. The fact that somebody used a wrong password, the username and the source IP address are separated in three different log lines or even in different log files. Without further detailed information about the logging mechanism of the GWIA it is impossible for me to write such a script. So I changed my approach and blocked every IP address except my own country. This stopped the brute force attacks and the number of mailbox lockouts dropped to zero per day, but this is just a temporary solution. Sooner or later the bad buys will find out that they have to use an IP address of my own country to continue with their suspicious activity. There are many good ideas on the portal to revolutionize the GWIA or the logging. I assume those are hard to implement and this is why they are not even marked for planned. My idea is just a small change in the logging of GWIA. I hope it is easy to implement and will be picked by the product managers. So please put these information in one line in the GWIA log for IMAP requests: timestamp, username, connection IP address and login result. For example:
10:11:12 UserA ::ffff: Successful authentication
10:11:12 UserA ::ffff: Invalid password
10:11:12 UserA ::ffff: Intruder lockout

With these informations it could me much easier to create an own firewall script to block attackers, or even attach GW to another 3rd party log analyser like Sentinel.


  • I would strongly suggest not exposing any GWIA to the raw internet but front it with an appropriate security device and don't expose imap to the outside ever. Use webaccess for users via the web or gw mobility for phones.