Re: Mail account brute force / harassment

Hi, On 4/12/19 11:05 PM, Joseph Tam via dovecot wrote: "www.blocklist.de" is a nifty source.  Could you suggest other publically available blacklists? The ones we are using are: "file:///etc/ipset-blacklist/ip-blacklist-custom.list" # optional, for your personal nemeses (no typo, plura

Re: Mail account brute force / harassment

On Fri, 12 Apr 2019, mj wrote: What we do is: use https://github.com/trick77/ipset-blacklist to block IPs (from various existing blacklists) at the iptables level using an ipset. "www.blocklist.de" is a nifty source. Could you suggest other publically available blacklists? That way, the know

Re: Mail account brute force / harassment

On 12 April 2019 at 22:01 Robert Kudyba via dovecot < dovecot@dovecot.org> wrote: > On 12 April 2019 21:45 Robert Kudyba via dovecot < dovecot@dovecot.org> wrote:

Re: Mail account brute force / harassment

> > > On 12 April 2019 21:45 Robert Kudyba via dovecot > wrote: > > > > > > > You are running some kind of proxy in front of it. > > > > No proxy. Just sendmail with users using emacs/Rmail or > Webmail/Squirrelmail. > > > > > If you want it to show real client IP, you need to enable forwarding >

Re: Mail account brute force / harassment

> On 12 April 2019 21:45 Robert Kudyba via dovecot wrote: > > > > You are running some kind of proxy in front of it. > > No proxy. Just sendmail with users using emacs/Rmail or Webmail/Squirrelmail. > > > If you want it to show real client IP, you need to enable forwarding of > > said data.

Re: Mail account brute force / harassment

> > You are running some kind of proxy in front of it. No proxy. Just sendmail with users using emacs/Rmail or Webmail/Squirrelmail. > If you want it to show real client IP, you need to enable forwarding of > said data. With dovecot it's done by setting > > login_trusted_networks = your-upstrea

Re: Mail account brute force / harassment

> On 12 April 2019 18:11 Robert Kudyba via dovecot wrote: > > > > Probably there's an existing solution for both problems (subsequent > > attempts and dnsbl): > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PowerDNS_weakforced&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7W

Re: Mail account brute force / harassment

> > Probably there's an existing solution for both problems (subsequent > attempts and dnsbl): > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PowerDNS_weakforced&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X1Im4Y-eX

Re: Mail account brute force / harassment

> Le 11 avr. 2019 à 12:23, Marc Roos via dovecot a écrit : > > > > Say for instance you have some one trying to constantly access an > account > > > Has any of you made something creative like this: > > * configure that account to allow to login with any password > * link that account to

Re: Mail account brute force / harassment

Hi, What we do is: use https://github.com/trick77/ipset-blacklist to block IPs (from various existing blacklists) at the iptables level using an ipset. That way, the known bad IPs never even talk to dovecot, but are dropped immediately. We have the feeling it helps a lot. MJ On 4/12/19 10:

Re: Mail account brute force / harassment

On 12/04/2019 08:42, Aki Tuomi via dovecot wrote: On 12.4.2019 10.34, James via dovecot wrote: On 12/04/2019 08:24, Aki Tuomi via dovecot wrote: Weakforced uses Lua so you can easily integrate DNSBL support into it. How does this help Dovecot block? A link to some documentation or example per

Re: Mail account brute force / harassment

On 12.4.2019 10.34, James via dovecot wrote: > On 12/04/2019 08:24, Aki Tuomi via dovecot wrote: > >> Weakforced uses Lua so you can easily integrate DNSBL support into it. > > How does this help Dovecot block? > A link to some documentation or example perhaps? > > https://wiki.dovecot.org/Authen

Re: Mail account brute force / harassment

On 12/04/2019 08:24, Aki Tuomi via dovecot wrote: Weakforced uses Lua so you can easily integrate DNSBL support into it. How does this help Dovecot block? A link to some documentation or example perhaps? We will not add DNSBL support to dovecot at this time. Is there a reason why you will

Re: Mail account brute force / harassment

On 12.4.2019 10.21, James via dovecot wrote: > On 11/04/2019 14:33, Anton Dollmaier via dovecot wrote: > >>> Which is why a dnsbl for dovecot is a good idea.  I do not believe the >>> agents behind these login attempts are only targeting me, hence the >>> addresses should be shared via a dnsbl. >

Re: Mail account brute force / harassment

On 11/04/2019 14:33, Anton Dollmaier via dovecot wrote: Which is why a dnsbl for dovecot is a good idea. I do not believe the agents behind these login attempts are only targeting me, hence the addresses should be shared via a dnsbl. Probably there's an existing solution for both problems (su

Re: Mail account brute force / harassment

On Thu, 11 Apr 2019, Marc Roos wrote: Say for instance you have some one trying to constantly access an account Has any of you made something creative like this: * configure that account to allow to login with any password * link that account to something like /dev/zero that generates infinite

RE: Mail account brute force / harassment

al Message- From: @lbutlr via dovecot [mailto:dovecot@dovecot.org] Sent: donderdag 11 april 2019 19:11 To: Peter via dovecot Subject: Re: Mail account brute force / harassment On 11 Apr 2019, at 04:43, Marc Roos via dovecot wrote: > B. With 500GB dump > - the owner of the attacki

Re: Mail account brute force / harassment

On 11 Apr 2019, at 04:43, Marc Roos via dovecot wrote: > B. With 500GB dump > - the owner of the attacking server (probably hacked) will notice it > will be forced to take action. Unlikely. What is very likely is that your ISP shuts you don for network abuse. > If abuse clouds are smart (most a

Re: Mail account brute force / harassment

On 11.04.2019 13:25, James via dovecot wrote: On 11/04/2019 11:43, Marc Roos via dovecot wrote: A. With the fail2ban solution    - you 'solve' that the current ip is not able to access you It is only a solution if there are subsequent attempts from the same address.  I currently have several

Re: Mail account brute force / harassment

On 11/04/2019 12:49, Marc Roos via dovecot wrote: Yes indeed, we have already own dnsbl's for smtp and ssh/ftp access. How do you have one setup for dovecot connections? Two answers: 1. I wrote my own very simple implementation but it does not share other people's data. Sharing the key to vi

Re: Mail account brute force / harassment

ail.com] > Sent: donderdag 11 april 2019 12:54 > To: Marc Roos > Cc: dovecot > Subject: Re: Mail account brute force / harassment > > Marc, > > There is a strategy loosely referred to as "choose your battles well" > :-) > If you can, hack the server and dump

RE: Mail account brute force / harassment

r question. -Original Message- From: Odhiambo Washington [mailto:odhia...@gmail.com] Sent: donderdag 11 april 2019 12:54 To: Marc Roos Cc: dovecot Subject: Re: Mail account brute force / harassment Marc, There is a strategy loosely referred to as "choose your battles well" :-)

RE: Mail account brute force / harassment

Yes indeed, we have already own dnsbl's for smtp and ssh/ftp access. How do you have one setup for dovecot connections? -Original Message- From: James via dovecot [mailto:dovecot@dovecot.org] Sent: donderdag 11 april 2019 13:25 To: dovecot@dovecot.org Subject: Re: Mail account

Re: Mail account brute force / harassment

On 11/04/2019 11:43, Marc Roos via dovecot wrote: A. With the fail2ban solution - you 'solve' that the current ip is not able to access you It is only a solution if there are subsequent attempts from the same address. I currently have several thousand addresses blocked due to dovecot log

RE: Mail account brute force / harassment

g 11 april 2019 12:57 To: dovecot@dovecot.org Subject: Re: Mail account brute force / harassment Am 11.04.2019 um 12:43 schrieb Marc Roos via dovecot : Please do not assume anything other than what is written, it is a hypothetical situation

Re: Mail account brute force / harassment

cot, PowerDNS and Open-Xchange Best regards Gerald > > > > > > > -Original Message----- > From: Odhiambo Washington > Sent: donderdag 11 april 2019 12:28 > To: Marc Roos > Cc: dovecot > Subject: Re: Mail account brute force / harassment > >

Re: Mail account brute force / harassment

gt; > > -Original Message----- > From: Odhiambo Washington > Sent: donderdag 11 april 2019 12:28 > To: Marc Roos > Cc: dovecot > Subject: Re: Mail account brute force / harassment > > > > On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot > wrote: >

RE: Mail account brute force / harassment

one would apply strategy B, the abuse problem would get less. Don't you agree?? -Original Message- From: Odhiambo Washington Sent: donderdag 11 april 2019 12:28 To: Marc Roos Cc: dovecot Subject: Re: Mail account brute force / harassment On Thu, 11 Apr 2019 at 13:24, Marc R

Re: Mail account brute force / harassment

> Am 11.04.2019 um 12:28 schrieb Odhiambo Washington via dovecot > : > > > > On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot > wrote: > > > Say for instance you have some one trying to constantly access an > account > > > Has any of you made something cre

Re: Mail account brute force / harassment

On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot wrote: > > > Say for instance you have some one trying to constantly access an > account > > > Has any of you made something creative like this: > > * configure that account to allow to login with any password > * link that account to something