On 10/01/2026 03:04, Joseph Tam via dovecot wrote:
On Fri, 9 Jan 2026, John Fawcett wrote:
I find it useful (both on Postfix and Dovecot) to apply XBL to block
connection to authenticated services.
I grep'd through last week's logs for probable brute forcers, and
check the
IPs against 3 RBLs. (Many IPs tried only once.)
Aggregate statistics:
87 - - - (No hits)
46 + - -
32 + + -
9 + - +
6 + + +
5 - + -
4 - - +
102/189 (54%) were listed by at least one of the RBLs, with the
following stats
RBL hits rate rate (>0 hits)
(col#1) bl.blocklist.de 93 49% 91%
(col#2) auth.spamrats.com 52 28% 51%
(col#3) xbl.spamhaus.org 19 10% 19%
You should try one of the other 2 RBLs: they specificaly list brute
forcers. I use them as pre-emptive block-on-sight for SMTP auth, and
I don't recall ever getting a false positive.
Joseph Tam <[email protected]>
Hi Joseph
thanks for the tip. I do use auth.spamrats.com on smtp auth, not so far
on imap/managesieve. I do know of blocklist.de but I can't remember now
if I evaluated to use it in this context. I will look into those.
Out of curiosity are those data from smtp auth or from Dovecot brute
force auth attempts? I assume Dovecot but wanted to make sure I
understood correctly. Do you do any kind of blocking on Dovecot that
could influence the numbers?
It's a while since I checked blocking performance, but what I seem to
remember is that I got a lot more attempts before I started blocking, so
what I see now with blocking applied is not necessarily representative
of what I would see if I didn't block. My assumption is that behind
multiple ips there can be the same actor switching ips to fly under the
radar of fail2ban. When applying outright blocking at connection time
seems that the actors can move on elsewhere and consequently you end up
avoiding more than you actually see as rejects. That's kind of
anecdotal, I don't think I have hard evidence of it.
John
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
