Am 04.02.2014 18:40, schrieb Marc Perkel:
Hope to get some attention about this idea to reduce hacking passwords.
Here is a list of about 700,000 IP addresses that are hacking passwords through SMTP AUTH
http://ipadmin.junkemailfilter.com/auth-hack.txt
This is a list of IP addresses that attempted to authenticate against my fake AUTH advertizing on servers with no authentication. We do front end spam filtering for thousands of domains and I decided to advertize authentication where there is none and I accept and blackhole all authenticated email to those servers. I have harvested the IP addresses in this list that is available through an RBL.
It seems to me that a nice dovecot feature would be the ability to do a black list check against IP addresses connecting and deny access if listed.
http://wiki2.dovecot.org/Authentication/RestrictAccess
but you could add them in a firewall too
Thoughts?
i think you know the problems of rbls very well, in case of imap/pop a false postive may high support extremly, also think of nat users
i prefer more dynamic and flexibel solutions, like fail2ban etc
so your honeypot ips are fine , but shouldnt be widly used/match for everybody needs
perhaps it might be better ,use them in a more "score" or monitoring / alarming system combined with other data
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein