You might want to consider a few others as well that might be in RBL
format..
Glad you are getting use out of auth.spamrats.com, it specifically
targets static known sources of auth attackers..
But consider some proxy RBL's as well. There are a couple out there, eg
RATS-PROXY et al.
Note, that RATS-AUTH contains RATS-NULL (Drop) lists as well, but you
can use things like the SpamHaus DROP lists as well.
And if you are aggressive, and you know know noone is checking email
from china, you can even use RBL's for that.
However! (Caveat) .. you should always implement an auth exemption list
mechanism for the odd legitimate IP in the midst of a sea of bad IPs.
Eg, the amount of BEC attacks from Google, Digital Ocean, Azure, Tencent
etc is immense, and we are seeing more targeting IMAP directly all the time.
But you 'might' have a legitimate IMAP poller on one of those IPs.
(More necessary on SMTP, where people need to 'relay' from cloud servers
through 3rd party email servers)
Not to using this list to hype a service, but everyone should be using
RBL's in the dovecot AUTH layer...
If anyone isn't using RATS-AUTH, API keys are free.. you should be using
at least them, if not multiple RBL's, we see far too much abuse through
government Zimbra servers, from well know bullet proof hosters, that
have been listed for years.
On 2026-01-11 16:01, Mateusz Lamparski via dovecot wrote:
Do rbl check-in
niedz., 11 sty 2026, 15:23 uzytkownik John Fawcett via dovecot
<[1][email protected]> napisal/:
On 10/01/2026 03:04, Joseph Tam via dovecot wrote:
> On Fri, 9 Jan 2026, John Fawcett wrote:
>
>> I find it useful (both on Postfix and Dovecot) to apply XBL to block
>> connection to authenticated services.
>
> I grep'd through last week's logs for probable brute forcers, and
> check the
> IPs against 3 RBLs. (Many IPs tried only once.)
>
> Aggregate statistics:
>
> 87 - - - (No hits)
> 46 + - -
> 32 + + -
> 9 + - +
> 6 + + +
> 5 - + -
> 4 - - +
>
> 102/189 (54%) were listed by at least one of the RBLs, with the
> following stats
>
> RBL hits rate rate (>0 hits)
> (col#1) [2]bl.blocklist.de 93 49% 91%
> (col#2) [3]auth.spamrats.com 52 28% 51%
> (col#3) [4]xbl.spamhaus.org 19 10% 19%
>
> You should try one of the other 2 RBLs: they specificaly list brute
> forcers. I use them as pre-emptive block-on-sight for SMTP auth, and
> I don't recall ever getting a false positive.
>
> Joseph Tam <[5][email protected]>
> _______________________________________________
I pulled out the equivalent stats that I see for imap for 7 days 03-09
January.
There were 970 apparently rouge connections from 315 distinct ips.
134 - - -
131 - - +
35 + - +
7 + - -
3 - + -
1 - + +
1 + + +
RBL hits rate Rate > 0
(col#1) [6]bl.blocklist.de 43 14% 24%
(col#2) [7]auth.spamrats.com 5 2% 3%
(col#3) [8]xbl.spamhaus.org 168 54% 94%
I'm getting a pretty good coverage with xbl. The 168 is a small
overestimate, since I based these numbers on a current lookup of the
blocklists to be comparable with yours, whereas at the time of blocking
only 158 were on XBL.
It is worth mentioning that none of the ips that were not blocked by
spamrats and XBL (315-158=157) actually did an authentication attempt,
some for SSL errors, some for protocol errors or just for disconnecting
without tryinig. My max errors allowed is 1.
Out of curiosity I did the same for smtp auth, where volumes of attempts
that I see have really dropped off. There were 313 apparently rouge
connections from 98 distinct ips.
48 - - -
35 - - +
7 + - +
4 - + +
2 - + -
1 + - -
1 + + +
RBL hits rate Rate > 0
(col#1) [9]bl.blocklist.de 9 9% 18%
(col#2) [10]auth.spamrats.com 7 7% 14%
(col#3) [11]xbl.spamhaus.org 47 48% 94%
Also here a reasonable coverage from XBL. Also in this case non of the
ips that were not blocked by XBL (98-47=51) actually did an
authentication attempt, mostly due to improper pipelining errors or just
disconnecting without trying to authenticate.
John
_______________________________________________
dovecot mailing list -- [12][email protected]
To unsubscribe send an email to [13][email protected]
References
Visible links
1. mailto:[email protected]
2. http://bl.blocklist.de/
3. http://auth.spamrats.com/
4. http://xbl.spamhaus.org/
5. mailto:[email protected]
6. http://bl.blocklist.de/
7. http://auth.spamrats.com/
8. http://xbl.spamhaus.org/
9. http://bl.blocklist.de/
10. http://auth.spamrats.com/
11. http://xbl.spamhaus.org/
12. mailto:[email protected]
13. mailto:[email protected]
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
