Hi, I use fail2ban to block smtp auth failures. A few weeks ago a notebook was infected and after that I saw massiv logins using this account on my smtp relay from world wide fast changing IPs . Ratelimits on smtp auth users blocked most of those messages, but before I could close that account some spam was sent. Therefore I'm looking for a way to figure out, if successful smtp auth logins are coming in a short period of time from different IPs, possibly combining with geoip.
Ciao Marcus ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
