Mail account brute force / harassment
Joseph Tam
jtam.home at gmail.com
Sat Apr 13 00:05:40 EEST 2019
On Fri, 12 Apr 2019, mj wrote:
> What we do is: use https://github.com/trick77/ipset-blacklist to block IPs
> (from various existing blacklists) at the iptables level using an ipset.
"www.blocklist.de" is a nifty source. Could you suggest other publically
available blacklists?
> That way, the known bad IPs never even talk to dovecot, but are dropped
> immediately. We have the feeling it helps a lot.
Really helps with uber-stupid BFD attacks that pound our plaintext ports
even though Dovecot repeatedly responds with
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
* BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
xx NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
The irony is that even if it blunders onto a usable password, they wouldn't
know it.
Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list