heads up ... another imapd attack source

Roeland M.J. Meyer rmeyer at mhsc.com
Tue Dec 15 19:09:06 UTC 1998

At 04:54 AM 12/15/98 , Dave Crocker wrote:
>At 05:17 PM 12/14/98 -0800, Roeland M.J. Meyer wrote:
>>FYI: Not that I sell shell accounts anyway, but I additionally block all
>>non-http access, from *.EDU, with tcp_wrappers and my POP3 is wrapped up in
>>SSH. IMAPD was shot and buried(deleted) a long time ago.
>this means that any user who is traveling, and happens to try to get their
>mail while accessing from a .edu site won't be able to pick it up.

Only if they are accessing mail on MHSC systems, from an *.EDU dial-up.
There are other dial-up options and MHSC has direct dial-up ports
available. Also, we do allow VPN tunnels from *.EDU, but only to directed
hosts with no routing and on advanced arrangement. The user that does so,
does it under our TOS and AUP.

>since imap popularity is growing, lack of imap service is also problematic.

It's balance of problems. We consider the rootkit risk more severe than the
loss of business from *.EDU sites. We have secure POP3 and Web-based (SSL)
mail, we are investigating POP3 over SSL. Those services are allowed to
*.EDU, from MHSC. 

As has been shown by others, IMAPD attacks are on the rise. It would not do
for a security advocate to get rootkit'd, just think of the publicity
<grin>. It's one of the things that keep me up at night. Many of the
vulnerable systems are in *.EDU, as has already been shown to my
satisfaction. Granted, MHSC has always viewed *.EDU is a huge potential
security risk. That is an unapologized bias on our part. It is the nature
of the beast. When the reference code, for IMAPD, becomes better written,
or we (MHSC) re-write it ourselves, we will reinstantiate the IMAPD
service. Until then, it remains dead.

A current example is a spammer that I've been tracing for weeks. They
always come from a different host, but it's obviously the same guys, they
are very good. Many of the relays they use have been root'd. The latest one
I've found is at sun.soci.niu.edu. So a SAINT run against it yourself and
see how vulnerable they are. If they aren't root'd now, they soon will be,

I am quickly gaining the unsupported suspicion that spammers may be behind
many of the IMAPD attacks. They are looking for hosts to send their spew
from. Note that this *is* an unsupported view/suspicion, I claim no solid

Morgan Hill Software Company, Inc. 
Roeland M.J. Meyer, ISOC 
President and CEO. 
e-mail:        <mailto:rmeyer at mhsc.com>mailto:rmeyer at mhsc.com 
Web-pages:    <http://www.mhsc.com/~rmeyer>http://www.mhsc.com/~rmeyer 
Web-site:        <http://www.mhsc.com>http://www.mhsc.com 
Colorado Springs, CO - Livermore, CA - Morgan Hill, CA 
-----------------------------------------(legal notice)-------- 
Note: Statements made in this message do not 
         necessarily reflect the  position of MHSC. All 
         forcasts and projections are to be considered 
         as forward-looking and presume conditions which 
         may not be referenced herein. 
-----------------------------------------(/legal notice)------- 

More information about the NANOG mailing list