Am Freitag, den 05.06.2009, 12:04 +1000 schrieb James Brown:
Looks like we are under a dictionary login attack on our POP server:
Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Since the attacker is playing nice you could also limit the maximum connection attempts to the pop3 port in a given timeframe. And if that limit is reached block the ip for a certain amount of time. If you firewall with netfilter, hashlimit is your friend.
Interesting for me is that you are on v1.2RC4. Timo wrote yersterday that with v1.2+ after every login failure the delay for the next attempt should grow. When I take a look at your timestamps this is obviously not working on your system.
Henry