[Dovecot] POP3 dictionary attacks
Mark Sapiro
mark at msapiro.net
Sat Aug 16 07:08:50 EEST 2008
Kenneth Porter wrote:
>--On Friday, August 15, 2008 5:51 PM -0400 Bruce Bodger
><bruce.bodger at demval.com> wrote:
>
>> fail2ban will not work for this as the incoming ip addresses are
>> spoofed. fail2ban would end up blocking legitimate servers.
>
>How do you spoof a source address on a TCP connection? I was unaware that
>was possible. How would replies know how to get back to the spoofing host?
>At best, you can spoof another host on your own routed segment. Unless you
>have control of the routing tables on the connecting routers, of course.
Exactly. These days, IP spoofing is most useful to hide the identity of
the perpetrator of a DoS attack. It certainly is not applicable to a
dictionary attack on POP3 or other logins since with a spoofed IP, the
perpetrator will never see the response to determine if the login
attempt was successful.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the dovecot
mailing list