On 11/04/2019 14:33, Anton Dollmaier via dovecot wrote:
Which is why a dnsbl for dovecot is a good idea. I do not believe the
agents behind these login attempts are only targeting me, hence the
addresses should be shared via a dnsbl.
Probably there's an existing solution for both problems (subsequent
attempts and dnsbl):
https://github.com/PowerDNS/weakforced
"The goal of 'wforce' is to detect brute forcing of passwords across
many servers"
The problem is not detecting but blocking. Dovecot has no mechanism for
using the data; Dovecot needs DNSBL capability.
I tested a small sample of my IMAP hackers using the lists I use for
SMTP blocking [1] and enough are in these list to make them worth using.
Extra detection is not needed as many of these addresses are already
known - maybe even by using weakforced.
James.
1. exim dnsblist:
https://www.exim.org/howto/rbl.html
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html
