We have started notifying about hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when transmitted. We see around 3.3M such cases with POP3 & a similar amount with IMAP (most overlap).
It's time to retire those services!
Data shared in:
Vulnerable POP3 report: https://shadowserver.org/what-we-do/network-reporting/vulnerable-pop3-report/
Vulnerable IMAP report: https://shadowserver.org/what-we-do/network-reporting/vulnerable-imap-report/
Geo breakdown of instances:
POP3 (no encryption): https://dashboard.shadowserver.org/statistics/combined/tree/?day=2024-12-30&source=pop3_vulnerable&source=pop3_vulnerable6&geo=all&data_set=count&scale=log
IMAP (no encryption): https://dashboard.shadowserver.org/statistics/combined/tree/?day=2024-12-30&source=imap_vulnerable&source=imap_vulnerable6&geo=all&data_set=count&scale=log
Note that regardless whether TLS is enabled or not service exposure may enable password guessing attacks against the server.
You can find POP3 and IMAP servers that use TLS in our Accessible POP3 https://shadowserver.org/what-we-do/network-reporting/accessible-pop3-report/ &
Accessible IMAP https://shadowserver.org/what-we-do/network-reporting/accessible-imap-report/ reports
=> View attached media | View attached media
=> More informations about this toot | More toots from shadowserver@infosec.exchange
UPDATE: After feedback from various National CSIRTs & mail server operators (thank you!), we have identified a number of potential false positives in data being shared. We have suspended the vulnerable POP3/IMAP reports & are working on improvements before restarting reporting
=> More informations about this toot | More toots from shadowserver@infosec.exchange
text/geminiThis content has been proxied by September (3851b).