Am Dienstag, 9. Dezember 2025, 18:11:49 UTC+00:00:01 schrieb Jaroslaw Rafa via mailop: > Dnia 9.12.2025 o godz. 12:11:34 Alessandro Vesely via mailop pisze: > > > > First came 50.171.64.170, on the 7th around noon UTC. It had made > > 590 login attempts to this server since March 2024, using both > > existing and non-existent accounts. This time, it succeeded; it > > seems possible, given that the password was trivial. > > If the IP has already made 590 login attempts to your server for such a > long time, why hasn't it been already permanently blocked on your server > long ago? That's not that easy, i think, because there are such IPs from real users who may forgot some kind of outdated IMAP client config. fail2ban setups for imap/pop3 has to be relative soft / very forgivable and only affect high volumes of bad logins in a shot time from single IPs or /24 networks. Otherwise you risk to block real users on large NAT (including large ISP NAT networks).
Extending the login-window is not helping (alone) very far, because real attackers rotate over large amount of IPs (often within a few /24 - but sometines over rented bot networks of thousands independent addresses). Thats why it is important to have some kind of more secure passwords in place - i.e. minimum length, no real words, no dates etc (pwgen is a good tool for that - it provides alphanumerical passwords optimized for "remindability" without getting to weak for brute force and/or dict attacks). This is why we don't allow users to select their own email passwords - they get them pregenerated from us. Secondly, many email service providers use the email address as the (easy predictable) user name (because their users have typoically only one email adress on that account - making it easier to mind for the users and so to get less / easier support overhead from the support. These "bad practices" lead to the fact that more and more providers had to invent a "third factor" with 2FA. just my .02$ niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
