Mail account brute force / harassment
Anton Dollmaier
antondollmaier at aditsystems.de
Thu Apr 11 16:33:42 EEST 2019
On 11.04.2019 13:25, James via dovecot wrote:
> On 11/04/2019 11:43, Marc Roos via dovecot wrote:
>
>> A. With the fail2ban solution
>> - you 'solve' that the current ip is not able to access you
>
> It is only a solution if there are subsequent attempts from the same
> address. I currently have several thousand addresses blocked due to
> dovecot login failures. My firewall is set to log these so I can see
> that few repeat, those that do repeat have intervals of >1 week.
> Blocking these has minimal effect (other than to clog fail12ban and the
> firewall).
>
>> - it will continue bothering other servers and admins
>
> Which is why a dnsbl for dovecot is a good idea. I do not believe the
> agents behind these login attempts are only targeting me, hence the
> addresses should be shared via a dnsbl.
Probably there's an existing solution for both problems (subsequent
attempts and dnsbl):
> https://github.com/PowerDNS/weakforced
It was also discussed recently on this list:
> https://www.dovecot.org/list/dovecot/2019-March/114921.html
Has already been on my personal todo list for some time, so I have no
experience how (good) it actually works.
Best,
Anton
More information about the dovecot
mailing list