Mail account brute force / harassment

James list at xdrv.co.uk
Fri Apr 12 10:21:58 EEST 2019


On 11/04/2019 14:33, Anton Dollmaier via dovecot wrote:

>> Which is why a dnsbl for dovecot is a good idea.  I do not believe the
>> agents behind these login attempts are only targeting me, hence the
>> addresses should be shared via a dnsbl.
>
> Probably there's an existing solution for both problems (subsequent
> attempts and dnsbl):
>
>> https://github.com/PowerDNS/weakforced

"The goal of 'wforce' is to detect brute forcing of passwords across 
many servers"

The problem is not detecting but blocking.  Dovecot has no mechanism for 
using the data; Dovecot needs DNSBL capability.

I tested a small sample of my IMAP hackers using the lists I use for 
SMTP blocking [1] and enough are in these list to make them worth using. 
  Extra detection is not needed as many of these addresses are already 
known - maybe even by using weakforced.



James.


1. exim dnsblist:
https://www.exim.org/howto/rbl.html
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html



More information about the dovecot mailing list