• Slavko via Exim-users [2022-06-24 13:24]: > Dňa 24. júna 2022 9:14:41 UTC používateľ Kirill Miazine via Exim-users > <exim-users@exim.org> napísal: > > >I've found AuthBL from Spamhaus and Abusix to be very useful. > > AFAIK Spamhaus's AuthBL is about hosts, which uses stolen credentials > (to send SPAM), not those attacking AUTH. While i use it in rsdpamd and MX, > only very small part of mentioned IPs is/was on it... I even stop to use its > XBL for AUTH due too many false positives, mostly due end user's IP change > (e.g. Deutche mobile users). It tooks about 2 days to XBL's time out on > Spamhaus side and this repeats after next IP change... > > BTW Spamhaus itself suggests to not use XBL for end users filtering and > AurhBL is XBL subset...
According to docs, AuthBL is both: "AuthBL is basically that: a collection of bots known to use stolen credentials or authentication bruteforce." https://docs.spamhaus.com/datasets/docs/source/10-data-type-documentation/datasets/030-datasets.html#authbl I wouldn't use XBL for blocking users (as XBL has lots of stuff in there), but there have never been any issues with AuthBL. Having said that, my system has a single digit number of users. Abusix is catching more, but there are lots of bruteforcers who aren't on either list. From today's maillog: # grep AuthBL maillog |wc -l 62 grep Abusix maillog |wc -l 144 # grep 'login authenticator failed for ' maillog |wc -l 1072 -- Kirill -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/