Re: Non Existent User Login Attempts

Tue, 06 Jan 2026 14:43:35 -0800 


On 06/01/2026 23:27, Joseph Tam via dovecot wrote:


On Mon, 5 Jan 2026, John Fawcett wrote:


On 04/01/2026 23:29, Bryan Simmons via dovecot wrote:

Log contains several messages from dovecot that are not clear to me 
exactly what is occurring, single example below. These appear to be 
login attempts for the same group of non existent user ids from 
various rip addresses.



dovecot: pop3-login: Disconnected: Connection closed (auth failed, 1 
attempts in 0 secs): user=<[email protected]>, rip=0.0.0.0



To be extremely pragmatic as long as it is for non existent users, 
they are never going to succeed in logging in whatever password is 
used. The issue would be if they are also for existent users, since 
leaving these compromised servers/devices hammering away, they may 
eventually guess a right password, depending on how strong your 
password policies are.


The setting

    auth_failure_delay = 5 secs

(or longer) may also be useful to slow intense BFDs down.  It puts strong
passwords further out of reach than they already are.  However, not as
useful when you're under distributed attack like when 4k+ different IPs
slammed us recently for weeks on end.


Personally I find it helpful to use the Spamhaus XBL and never accept 
connection attempts from compromised ips.


I'll test this out, but I suspect I'll get a few false positives from
public WiFi users, etc.  These DNSRBLs I currently use catch quite a lot
of BFD attackers:

    https://www.blocklist.de/en/rbldns.html
    https://spamrats.com/rats-auth.php

In cases where you can't use these blocklists outright due to risk of 
your users getting recycled ips which were on the blocklists but are now 
legitimate, if you block based on having seen an attack behaviour from 
the ip and then leave the block in place as long as the ip continues to 
be listed on the blocklist, the probability of blocking legitimate users 
will be close to zero.


There's also many jumbo public networks, mostly Asian, that unless you
have users within them, it's better just to blackhole them.

Joseph Tam <[email protected]>
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]

_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]






















					Reply via email to