On 10/01/2026 03:04, Joseph Tam via dovecot wrote:
On Fri, 9 Jan 2026, John Fawcett wrote:
I find it useful (both on Postfix and Dovecot) to apply XBL to block
connection to authenticated services.
I grep'd through last week's logs for probable brute forcers, and
check the
IPs against 3 RBLs. (Many IPs tried only once.)
Aggregate statistics:
87 - - - (No hits)
46 + - -
32 + + -
9 + - +
6 + + +
5 - + -
4 - - +
102/189 (54%) were listed by at least one of the RBLs, with the
following stats
RBL hits rate rate (>0 hits)
(col#1) bl.blocklist.de 93 49% 91%
(col#2) auth.spamrats.com 52 28% 51%
(col#3) xbl.spamhaus.org 19 10% 19%
You should try one of the other 2 RBLs: they specificaly list brute
forcers. I use them as pre-emptive block-on-sight for SMTP auth, and
I don't recall ever getting a false positive.
Joseph Tam <[email protected]>
_______________________________________________
I pulled out the equivalent stats that I see for imap for 7 days 03-09
January.
There were 970 apparently rouge connections from 315 distinct ips.
134 - - -
131 - - +
35 + - +
7 + - -
3 - + -
1 - + +
1 + + +
RBL hits rate Rate > 0
(col#1) bl.blocklist.de 43 14% 24%
(col#2) auth.spamrats.com 5 2% 3%
(col#3) xbl.spamhaus.org 168 54% 94%
I'm getting a pretty good coverage with xbl. The 168 is a small
overestimate, since I based these numbers on a current lookup of the
blocklists to be comparable with yours, whereas at the time of blocking
only 158 were on XBL.
It is worth mentioning that none of the ips that were not blocked by
spamrats and XBL (315-158=157) actually did an authentication attempt,
some for SSL errors, some for protocol errors or just for disconnecting
without tryinig. My max errors allowed is 1.
Out of curiosity I did the same for smtp auth, where volumes of attempts
that I see have really dropped off. There were 313 apparently rouge
connections from 98 distinct ips.
48 - - -
35 - - +
7 + - +
4 - + +
2 - + -
1 + - -
1 + + +
RBL hits rate Rate > 0
(col#1) bl.blocklist.de 9 9% 18%
(col#2) auth.spamrats.com 7 7% 14%
(col#3) xbl.spamhaus.org 47 48% 94%
Also here a reasonable coverage from XBL. Also in this case non of the
ips that were not blocked by XBL (98-47=51) actually did an
authentication attempt, mostly due to improper pipelining errors or just
disconnecting without trying to authenticate.
John
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
