Mail account brute force / harassment

Robert Kudyba rkudyba at fordham.edu
Fri Apr 12 18:11:26 EEST 2019


>
> Probably there's an existing solution for both problems (subsequent
> attempts and dnsbl):
>
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PowerDNS_weakforced&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X1Im4Y-eX0uEDwDWiGtbHA7-LMVH6EXlblUpquQsx9Y&s=stCCTTs65S9mjT4ITx-MfXyqnP1M0FoOlvIsEA-iwdQ&e=
>
> It was also discussed recently on this list:
>
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dovecot.org_list_dovecot_2019-2DMarch_114921.html&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X1Im4Y-eX0uEDwDWiGtbHA7-LMVH6EXlblUpquQsx9Y&s=F_MZgSGFbhEPpQAsxd5uZPK_fbOBWgG4SIvzIXCWC1U&e=
>
>
> Has already been on my personal todo list for some time, so I have no
> experience how (good) it actually works.
>

That was a thread I started. I got wforce to work. However the "reporting
IP" in the logs always shows as 127.0.0.1, so I risk banning myself. Here's
the log entry:
Apr 12 10:06:12 auth: Debug: policy(ouruser,127.0.0.1,<OWoLzlWGDrh/AAAB>):
Policy server request JSON:
{"device_id":"","login":"ouruser","protocol":"imap","pwhash":"2a","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false}

I've tried setting auth_policy_server_url to examples such as:

   - auth_policy_server_url = http://localhost:8084/
   - auth_policy_server_url = http://0.0.0.0:8084/
   - auth_policy_server_url = https://ourdomain.edu:8084/

in the custom config file for wforce and the rip (reporting IP, e.g., Apr
12 10:06:10 auth: Debug: client in: AUTH    1       PLAIN   service=imap
secured session=OWoLzlWGDrh/AAAB        lip=127.0.0.1   rip=127.0.0.1
 lport=143       rport=47118     resp=<hidden>) is either 127.0.0.1 or
ourdomain.edu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190412/ba38c4bd/attachment.html>


More information about the dovecot mailing list