Re: [mailop] Password breach

Wed, 10 Dec 2025 04:04:15 -0800 


On 09/12/2025 19:49, Alessandro Vesely via mailop wrote:

On Tue 09/Dec/2025 18:11:49 +0100 Jaroslaw Rafa wrote:

Dnia  9.12.2025 o godz. 12:11:34 Alessandro Vesely via mailop pisze:



First came 50.171.64.170, on the 7th around noon UTC.  It had made 
590 login attempts to this server since March 2024, using both 
existing and non-existent accounts.  This time, it succeeded; it 
seems possible, given that the password was trivial.



If the IP has already made 590 login attempts to your server for such 
a long time, why hasn't it been already permanently blocked on your 
server long ago?



Good question.


I assign a probability of being blocked and a decay (half-life). It is 
difficult to determine if the attempt is legit, so the decay is quite 
short. On further attempts the probability doubles, and the initial 
probability is such that three consecutive attempts cause it to reach 
100%.


To avoid blocking users, I set the decay to 6 hours.


At the end of day, I delete failed attempts from legitimately used IPs 
in the last 30 days.  However, this deletion is unreliable, and some 
legit IPs remain registered and decay to 0 probability. The end-of-day 
is also when I check for bad IPs.  I should now change this process to 
increase the decay of bad IPs, not just flag them.  I think it's 
better than counting the failed attempts.



Best
Ale


Hi Ale,


those IPs are also on Spamhaus XBL. Do you have use cases where 
legitimate users need to login from exploited ips? If you don't get a 
lot of need for it, i.e. if your users generally use IPs that are not on 
blocklists like XBL, then you could evaluate to block up front based on 
XBL and reserve your ip based login failures as a second line of 
defence. Even if you have to take care of an occasional white list 
request you might find this approach blocks more exploit attempts with 
less effort.



Since I started using the approach of disallowing smtp authentication 
from ips on XBL, I also found that the number of exploit attempts has 
dropped drastically too. I now get just a handful a day, with near 100% 
of them blocked by XBL,


John



_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop






















					Reply via email to