[Dovecot] Logging passwords on auth failure/dealing with botnets

Stan Hoeppner stan at hardwarefreak.com
Mon Sep 2 11:12:49 EEST 2013


On 9/1/2013 2:59 PM, Noel wrote:
> On 9/1/2013 10:00 AM, Charles Marcus wrote:
...
>> Wonder if there's a way to leverage Stan Hoeppner's most excellent
>> botnet killer to reject AUTHs from the same types of clients
>> before they even try?
>
> The objective of Stan's list is to reject dynamic hosts, because the
> overwhelming majority of dynamic hosts trying to send via SMTP are
> zombies.

Yep.

> For dovecot, the situation is quite different. Blocking all dynamic
> IPs would be an obvious mistake.

Yep.

Unfortunately the hosts we want to block at the public SMTP port are the
same hosts that are your typical legitimate IMAP clients.

To do something similar to Postscreen with Dovecot would require Timo
writing code similar to Postscreen that would look for IMAP protocol
violations or similar signs that the client is a bot and not a legit MUA.

But given that Dovecot is designed for inherently greater client
parallelism (thousands) than Postfix smtpd (100), I don't think anyone
is rejecting clients due to running out of auth process slots taken by bots.

As others have suggested this seems a log clutter issue, nothing more.

-- 
Stan



More information about the dovecot mailing list