10 Jan
2026
10 Jan
'26
4:04 a.m.
On Fri, 9 Jan 2026, John Fawcett wrote:
I find it useful (both on Postfix and Dovecot) to apply XBL to block connection to authenticated services.
I grep'd through last week's logs for probable brute forcers, and check the IPs against 3 RBLs. (Many IPs tried only once.)
Aggregate statistics:
87 - - - (No hits)
46 + - -
32 + + -
9 + - +
6 + + +
5 - + -
4 - - +102/189 (54%) were listed by at least one of the RBLs, with the following stats
RBL hits rate rate (>0 hits)
(col#1) bl.blocklist.de 93 49% 91%
(col#2) auth.spamrats.com 52 28% 51%
(col#3) xbl.spamhaus.org 19 10% 19%You should try one of the other 2 RBLs: they specificaly list brute forcers. I use them as pre-emptive block-on-sight for SMTP auth, and I don't recall ever getting a false positive.
Joseph Tam <jtam.home@gmail.com>