On 2025-01-02 16:16, Bill Cole via Postfix-users wrote: > >> I just noticed a single unknown host is connecting ~1000x per day, >> with fingerprint 'ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4' so >> that's my first target.
This is rather uncommon, most password probes come from given host only once (in a longer period at least), so it's ineffective to block them using own history (unless you have some really big traffic). Much better are some dedicated authbl blocklists (Spamhaus or Abusix). > Failed auth like that is a good basis for targeting, provided you are > 100% certain that it isn't a real user with a typo'd password. Beyond It can also happen when user changes his password and have some second device set up with old one. It would be very easy to block his home network... especially if that device is something sending rarely (on some external event), but having the queue and keep retrying... _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
