Even without 2FA, a password different from "12345" is probably desperately hard to guess. An activity suited for bots running at someone else's expenses.
Best Ale On Fri 21/Feb/2020 19:57:09 +0100 Michael Peddemors via mailop wrote: > For the record, (just back from M3AAWG, what a great event) AUTH attacks from > Tor networks ARE a thing. > > While it might seem that the number of attacks from Tor Nodes, vs legitimate > AUTH requests from people that like using Tor for everything is really one > sided.. > > (Don't get me wrong, even we block Tor networks occassionally for different > reasosn) > > .. you need to treat this the same as if it was 10,000's of people behind the > airport Wifi, or Carrier Grade NAT. > > Consider how you would safely block the bad guys, yet let the good guys still > use the service. Which brings me to my favorite topic, 2FA for IMAP/SMTP > Auth, > as many of you know.. (we talk about CLIENTID often enough). > > It is a good thought exercise to look at this in the larger picture, rather > than being a Tor problem, (albeit their are completely different abuse > reporting options at a large CGN network), the problem is still the same, how > to address safely separating the good from the bad in a world where IPv4 > reputation is no longer viable alone. > > > > > On 2020-02-21 10:38 a.m., Alessandro Vesely via mailop wrote: >> Hi, >> >> On Thu 20/Feb/2020 11:02:47 +0100 Benoit Panizzon via mailop wrote: >>> >>> The Spamtrap / HoneyPot in question not only listens to port 25 but also >>> listens on port 465 (smtps) and 587 (submission). >>> >>> If an attacker is doing some dictionary attack on this to check for >>> valid passwords (every authentication attempt is accepted) or attempts >>> to relay spam mails (every relay attempt is answered with 200 OK) he >>> is being blacklisted and an ARF reports is sent to the abuse contact of >>> the submitting IP range. >>> >>> This is what causes those reports, not emails received on port 25. >>> >>> But I guess, just silently blacklisting Tor exist nodes and not sending >>> a ARF report to the ISP could be an option to solve that issue. >> >> >> If you can detect Tor exit nodes, maybe you can fail authentication when it >> comes from those IPs. That may make sense if the Tor host is able to detect >> multiple authentication failures and somehow stop the user. What do they >> say? >> >> I'm still puzzled by that Emerald Onion Repeat Infringer Termination Policy. >> >> Perhaps, they have a real time incident reporting system to catch miscreants. >> >> Cooperation would increase the value of both your honeypots and their nodes. >> >> >> Best >> Ale >> > > > _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop