On Fri, 7 Jan 2022, Ken Wright wrote:
On Fri, 2022-01-07 at 23:27 -0500, Dave McGuire wrote:
On 1/7/22 11:24 PM, Ken Wright wrote:
So, if anyone can tell me what's going on with all these logins, I'd be much obliged!
I see them all the time on the mail servers I run. Typical kids trying to mess with other peoples' stuff. I run fail2ban to catch those log entries and block the source IP address for a month on the first failed login. At any one time I have between 12,000 and 15,000 addresses in my blocked list for IMAP.
Dave, that's exactly the kind of answer I was looking for. Fail2ban, huh? I'll have to check that out. Thanks again!
Yup, these SMTP AUTH BFD attempts come in thick and heavy.
Another resource to preempt these attacks is Spamhaus's XBL blacklist. At my site, there was a 99.2% hit rate and very low false positives. Even those FPs led to some useful discoveries that the client had a malware they didn't know about.
http://www.blocklist.de/en/index.html also run a DBS RBL list and I've had zero FPs after years of use. I think you can even get Fail2ban report to your attackers to this site to add to the crowdsourcing.
Joseph Tam jtam.home@gmail.com