Mail account brute force / harassment
James
list at xdrv.co.uk
Fri Apr 12 10:21:58 EEST 2019
On 11/04/2019 14:33, Anton Dollmaier via dovecot wrote:
>> Which is why a dnsbl for dovecot is a good idea. I do not believe the
>> agents behind these login attempts are only targeting me, hence the
>> addresses should be shared via a dnsbl.
>
> Probably there's an existing solution for both problems (subsequent
> attempts and dnsbl):
>
>> https://github.com/PowerDNS/weakforced
"The goal of 'wforce' is to detect brute forcing of passwords across
many servers"
The problem is not detecting but blocking. Dovecot has no mechanism for
using the data; Dovecot needs DNSBL capability.
I tested a small sample of my IMAP hackers using the lists I use for
SMTP blocking [1] and enough are in these list to make them worth using.
Extra detection is not needed as many of these addresses are already
known - maybe even by using weakforced.
James.
1. exim dnsblist:
https://www.exim.org/howto/rbl.html
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html
More information about the dovecot
mailing list