On Sat, 10 Jan 2026, John Fawcett wrote:
Out of curiosity are those data from smtp auth or from Dovecot brute force auth attempts?
Dovecot.
I assume Dovecot but wanted to make sure I understood correctly. Do you do any kind of blocking on Dovecot that could influence the numbers?
Not really. I thought perhaps some of my larger Asian firewall blockw could affect this, but the firewall logs do not show this. The volume of BFD attempts are way higher on SMTP than IMAP/POP3.
It's a while since I checked blocking performance, but what I seem to remember is that I got a lot more attempts before I started blocking, so what I see now with blocking applied is not necessarily representative of what I would see if I didn't block. My assumption is that behind multiple ips there can be the same actor switching ips to fly under the radar of fail2ban. When applying outright blocking at connection time seems that the actors can move on elsewhere and consequently you end up avoiding more than you actually see as rejects. That's kind of anecdotal, I don't think I have hard evidence of it.
I guess some attackers could give up after some rejections, but mostly I see time/user correlated attempt from many different IPs, indicating the same actor is using a botnet.
Joseph Tam <jtam.home@gmail.com>