> Attackers mainly interested in port 20, 21, 25, 110, and 143, corresponding to FTP-data, FTP, SMTP, POP3, and IMAP traffic.

That strongly suggests password harvesting. Those ports/protocols often (not always) are used for unencrypted user/pass combinations. :(