[Dovecot] login processes from attacks staying for hours

Matt lm7812 at gmail.com
Thu Jul 24 01:11:13 EEST 2008


> and I notice that dovecot doesn't handle the brute-force attacks too nice.
> I reduced the limit a bit to some reasonable looking value:
> login_max_processes_count = 32
> to stop them earlier and the number of processes stops at that figure when
> an attack happens.

Somewhat off original topic.  I cannot help but wander what the goal
of the brute force attack is.  I am guessing they want a working
username and password to relay junk email?

I have heard of users having there email address and password stolen
by a virus or spyware then used to authenticate and relay thousands of
pieces of junk email.  We enabled rate-limit on Exim which only allows
a given IP to send to X number of message recipients in X amount of
time.  We also added a plugin to Squirrel Mail to only allow so many
recipients per message and only so many messages per day.

Matt


More information about the dovecot mailing list