Mail account brute force / harassment

Anton Dollmaier antondollmaier at aditsystems.de
Thu Apr 11 16:33:42 EEST 2019


On 11.04.2019 13:25, James via dovecot wrote:
> On 11/04/2019 11:43, Marc Roos via dovecot wrote:
> 
>> A. With the fail2ban solution
>>    - you 'solve' that the current ip is not able to access you
> 
> It is only a solution if there are subsequent attempts from the same 
> address.  I currently have several thousand addresses blocked due to 
> dovecot login failures.  My firewall is set to log these so I can see 
> that few repeat, those that do repeat have intervals of >1 week. 
> Blocking these has minimal effect (other than to clog fail12ban and the 
> firewall).
> 
>>    - it will continue bothering other servers and admins
> 
> Which is why a dnsbl for dovecot is a good idea.  I do not believe the 
> agents behind these login attempts are only targeting me, hence the 
> addresses should be shared via a dnsbl.

Probably there's an existing solution for both problems (subsequent 
attempts and dnsbl):

> https://github.com/PowerDNS/weakforced

It was also discussed recently on this list:

> https://www.dovecot.org/list/dovecot/2019-March/114921.html


Has already been on my personal todo list for some time, so I have no 
experience how (good) it actually works.


Best,
Anton


More information about the dovecot mailing list