Mail account brute force / harassment
Aki Tuomi
aki.tuomi at open-xchange.com
Fri Apr 12 10:24:36 EEST 2019
On 12.4.2019 10.21, James via dovecot wrote:
> On 11/04/2019 14:33, Anton Dollmaier via dovecot wrote:
>
>>> Which is why a dnsbl for dovecot is a good idea. I do not believe the
>>> agents behind these login attempts are only targeting me, hence the
>>> addresses should be shared via a dnsbl.
>>
>> Probably there's an existing solution for both problems (subsequent
>> attempts and dnsbl):
>>
>>> https://github.com/PowerDNS/weakforced
>
> "The goal of 'wforce' is to detect brute forcing of passwords across
> many servers"
>
> The problem is not detecting but blocking. Dovecot has no mechanism
> for using the data; Dovecot needs DNSBL capability.
>
> I tested a small sample of my IMAP hackers using the lists I use for
> SMTP blocking [1] and enough are in these list to make them worth
> using. Extra detection is not needed as many of these addresses are
> already known - maybe even by using weakforced.
>
>
>
> James.
>
>
> 1. exim dnsblist:
> https://www.exim.org/howto/rbl.html
> https://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html
>
>
Weakforced uses Lua so you can easily integrate DNSBL support into it.
We will not add DNSBL support to dovecot at this time.
Aki
More information about the dovecot
mailing list