Mail account brute force / harassment

Joseph Tam jtam.home at gmail.com
Sat Apr 13 00:05:40 EEST 2019


On Fri, 12 Apr 2019, mj wrote:

> What we do is: use https://github.com/trick77/ipset-blacklist to block IPs 
> (from various existing blacklists) at the iptables level using an ipset.

"www.blocklist.de" is a nifty source.  Could you suggest other publically
available blacklists?

> That way, the known bad IPs never even talk to dovecot, but are dropped 
> immediately. We have the feeling it helps a lot.

Really helps with uber-stupid BFD attacks that pound our plaintext ports
even though Dovecot repeatedly responds with

 	-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
 	* BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
 	xx NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

The irony is that even if it blunders onto a usable password, they wouldn't
know it.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list