Re: Blocking with RBLs

Tue, 13 Jan 2026 06:03:37 -0800 

You should look for RBL's targeting/with the word PROXY in them.
SpamRats RATS-PROXY instance. One of the most prolific actors targeting ISP/Telcos uses proxies as their prime way of disguising their source. 


And yes, while disable_plaintext_auth = yes should be the go to, you 
want to stop accepting connections on 110/143 (993/995 should be used).



Unfortunatly,it is not just your AUTH, but clients will attempt to 
connect to port 110/143 sometimes during discovery, or as a fallback, 
which means they will send credentials plain text, even if you don't 
allow authentication, allowing them to be 'sniffed'.


Email clients 'should' be updated to never do that of course.

On 2026-01-12 19:26, John Fawcett via dovecot wrote:

for 
On 12/01/2026 22:59, Michael Peddemors via dovecot wrote:

On 2026-01-09 18:04, Joseph Tam via dovecot wrote:

102/189 (54%) were listed by at least one of the RBLs, with the 
following stats


     RBL                hits    rate    rate (>0 hits)
     (col#1) bl.blocklist.de        93    49%    91%
     (col#2) auth.spamrats.com     52    28%    51%
     (col#3) xbl.spamhaus.org     19    10%    19%



Forgot one caveat, try to avoid larger RBL's that list dynamic IPs as 
well, while it might be tempting to try to stop all the 'bot' 
activity, bots' are not the biggest threat, and are easier to stop.. 
blocking DUL IPs too will only get you complaints..


It's the real bad actors that RBL's help for IMAP Auth protection ;)


Oh, and watch the increasing number of residential 'proxies'.. and do 
you REALLY want people logging in through VPN's? You want to know who 
is accessing your customer email accounts.with



An even bigger threat, those people who still allow POP 110, or IMAP 
143, be nice if that was deprecated in dovecot and every other mail 
platform.. SSL/TLS only..


Have a great and safe 2026 everyone!



Hi Michael


I personally disabled pop3 but I would still leave it in the software in 
case people still find a need for it. I also use IMAP port 143 with 
STARTTLS so it should be ok.



Dovecot setting (2.3 at least) disable_plaintext_auth = yes should stop 
people authenticating over a non secure connection and that is the default.



It is an interesting point about VPNs. I have some experience of bad 
actors over VPNs. If I could block VPNs I would do it. Is there a list 
of VPN ips somewhere?


best regards

John


_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]


_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]























					Reply via email to