On Thu, Aug 22, 2013 at 04:16:51PM +0000, Michael Smith (DF) wrote: > Or another option, is there any good DNS based RBLs for botnet IPs, > and is there any way to tie that in to the dovecot auth system? > I've been looking for botnet rbls, but what I've found so far > doesn't seem to work very well. Most of the IPs that I've had to > firewall don't exist in them.
I guess I would first have tried Spamhaus XBL, but I guess you checked that already. The problem with using XBL, anyway, is that you might have legitimate logins from listed hosts. Example: a traveler using hotel wifi. We (TINW) really would need a new DNSBL type (or a special result) for this sort of abuse. It's a nice idea, worth building upon, if someone can fund it (or find the time to develop it, which really amounts to the same thing.) Imagine also a Dovecot network of reporters, where brute force attempts worldwide are reported from Dovecots to the DNSBL, not merely a one-way tie in. I'd also suggest listing SSH brute force attacks in the same DNSBL, possibly with a different result (127.0.0.$port, so IMAP attackers list as 127.0.0.143, SSH attackers as 127.0.0.22. Yes, we'd have to incorporate the third quad for ports > 255, but the general idea is for result codes to be both machine and human readable as much as possible.) -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: