On Fri, 15 Nov 2019 at 10:23, Allen Coates <znab...@cidercounty.org.uk> wrote:
> > > On 15/11/2019 05:10, Fourhundred Thecat wrote: > > On 15/11/2019 06.06, Jeffrey 'jf' Lim wrote: > >> > >> ok then this makes sense. I've seen bots retry multiple passwords at > >> one go in the past; Fourhundred are all of these "auth=0/1"? > > > > yes, all are "auth=0/1". > > > > I have disabled auth on port 25, and I am using non-standard port for > > client authentication. > > > > Disabling auth does not stop them from trying; I scan my logs for the > string > "auth=0/1", and add the offending IP address to a blacklist - a > do-it-yourself > fail2ban. > I get cases where there is more than one unsuccessful auth attempt # grep -a "auth=0/" /var/log/mail.log|grep -v "auth=0/1"|wc -l 39 - so I think the blocking should be based on auth=0/ not auth=0/1
