On Fri, Nov 15, 2019 at 6:23 PM Allen Coates <znab...@cidercounty.org.uk> wrote: > > > > On 15/11/2019 05:10, Fourhundred Thecat wrote: > > On 15/11/2019 06.06, Jeffrey 'jf' Lim wrote: > >> > >> ok then this makes sense. I've seen bots retry multiple passwords at > >> one go in the past; Fourhundred are all of these "auth=0/1"? > > > > yes, all are "auth=0/1". > > > > I have disabled auth on port 25, and I am using non-standard port for > > client authentication. > > > > Disabling auth does not stop them from trying; I scan my logs for the string > "auth=0/1", and add the offending IP address to a blacklist - a do-it-yourself > fail2ban. >
It should. Unless they're the dumbest bots of all time, because you should have stopped advertising auth in your EHLO response after disabling. -jf
