Hi, > > I have a fedora20 system with dovecot-2.2.13 running various services, > > including pop3. I'm noticing some users are frequently hamming pop3, and > > wondered if this was normal, or something I should be investigating? > > > > Aug 8 14:05:20 email dovecot: pop3-login: Login: user=<user1>, > > method=PLAIN, rip=97.77.115.121, lip=192.168.1.1, mpid=30509, > > session=<DnRtDCIAUQBhTXN5> > > Aug 8 14:05:21 email dovecot: pop3(user1): Disconnected: Logged out > > top=0/0, retr=0/0, del=0/15, size=5693601 > > > > So it is immediately followed by a logout, but when there are 50 of them > > successively in a five minute period, I wondered if it is creating > > unnecessary overhead on the system? > > > > I suppose this most likely is how they have their email client configured, > > but wondered if some throttling would be necessary? > > > > Any advice would be most appreciated. > > Thanks, > > Alex > > > > depends if this are your users, or if its brute force > pop3 has not much overhead, to fight brute force use fail2ban
Yes, I've implemented fail2ban, and it's working pretty well. It does now look like brute force. When/if they complain to the helpdesk, we'll deal with it then. > https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ This is also helpful, thanks. Thanks, Alex
