Mail account brute force / harassment

[Marc Roos]

If I am not mistaken dovecot has already limited concurrent 
accounts/ips. Furthermore I thought it would be obvious of course to 
utilize for this only unused resources and don't jeopardize a production 
environment. 

Furthermore it is logical to assume that one abuse host is not dedicated 
to me. So it probably has 50? other connections for every one of mine. 
So if it would be common practice to dump abuse to /dev/zero, the abuse 
host would be the first to 'die'. 


-----Original Message-----
From: Gerald Galster via dovecot [mailto:dovecot at dovecot.org] 
Sent: donderdag 11 april 2019 12:57
To: dovecot at dovecot.org
Subject: Re: Mail account brute force / harassment



	Am 11.04.2019 um 12:43 schrieb Marc Roos via dovecot 
<dovecot at dovecot.org>:

	Please do not assume anything other than what is written, it is a 
	hypothetical situation
	
	
	A. With the fail2ban solution
	  - you 'solve' that the current ip is not able to access you
	  - it will continue bothering other servers and admins
	  - you get the next abuse host to give a try.
	
	B. With 500GB dump
	- the owner of the attacking server (probably hacked) will notice 
it 
	will be forced to take action.
	
	
	If abuse clouds are smart (most are) they would notice that 
attacking my 
	servers, will result in the loss of abuse nodes, hence they will 
not 
	bother me anymore. 
	
	If every one would apply strategy B, the abuse problem would get 
less. 
	Don't you agree??
	


I disagree. If 100 servers "hack" your imap account and fetch 500GB then 
most likely your server is unreachable. If this is done over many 
servers then your rack switches become the bottleneck and uninvolved 
servers are affected too.

Your solution may work if traffic is expensive and limited but we're 
heading in the other direction: you can rent a server for 50 bucks with 
1gbit bandwidth and unmetered traffic e.g. at hetzner.de

Maybe you want to look into a solution like weakforced:

https://github.com/PowerDNS/weakforced
Wforce is a project by Dovecot, PowerDNS and Open-Xchange

Best regards
Gerald










	-----Original Message-----
	From: Odhiambo Washington  
	Sent: donderdag 11 april 2019 12:28
	To: Marc Roos
	Cc: dovecot
	Subject: Re: Mail account brute force / harassment
	
	
	
	On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot 
	<dovecot at dovecot.org> wrote:
	
	
	
	
	Say for instance you have some one trying to constantly access an 
	account
	
	
	Has any of you made something creative like this:
	
	* configure that account to allow to login with any password
	* link that account to something like /dev/zero that generates 
	infinite 
	amount of messages
	 (maybe send an archive of virusses?)
	* transferring TB's of data to this harassing client.
	
	I think it would be interesting to be able to do such a thing.
	
	
	
	
	Instead of being evil, just use fail2ban to address this problem 
:-)  
	
	-- 
	
	Best regards,
	Odhiambo WASHINGTON,
	Nairobi,KE
	+254 7 3200 0004/+254 7 2274 3223
	"Oh, the cruft.", grep ^[^#] :-)