On 10/01/2026 03:04, Joseph Tam via dovecot wrote:
On Fri, 9 Jan 2026, John Fawcett wrote:
I find it useful (both on Postfix and Dovecot) to apply XBL to block connection to authenticated services.
I grep'd through last week's logs for probable brute forcers, and check the IPs against 3 RBLs. (Many IPs tried only once.)
Aggregate statistics:
87 - - - (No hits) 46 + - - 32 + + - 9 + - + 6 + + + 5 - + - 4 - - +
102/189 (54%) were listed by at least one of the RBLs, with the following stats
RBL hits rate rate (>0 hits) (col#1) bl.blocklist.de 93 49% 91% (col#2) auth.spamrats.com 52 28% 51% (col#3) xbl.spamhaus.org 19 10% 19%
You should try one of the other 2 RBLs: they specificaly list brute forcers. I use them as pre-emptive block-on-sight for SMTP auth, and I don't recall ever getting a false positive.
Joseph Tam <jtam.home@gmail.com>
Hi Joseph
thanks for the tip. I do use auth.spamrats.com on smtp auth, not so far on imap/managesieve. I do know of blocklist.de but I can't remember now if I evaluated to use it in this context. I will look into those.
Out of curiosity are those data from smtp auth or from Dovecot brute force auth attempts? I assume Dovecot but wanted to make sure I understood correctly. Do you do any kind of blocking on Dovecot that could influence the numbers?
It's a while since I checked blocking performance, but what I seem to remember is that I got a lot more attempts before I started blocking, so what I see now with blocking applied is not necessarily representative of what I would see if I didn't block. My assumption is that behind multiple ips there can be the same actor switching ips to fly under the radar of fail2ban. When applying outright blocking at connection time seems that the actors can move on elsewhere and consequently you end up avoiding more than you actually see as rejects. That's kind of anecdotal, I don't think I have hard evidence of it.
John