On 2026-05-26 at 12:05 +0200, Alessandro Vesely via mailop wrote: > Thanks to all who replied. Still mumbling... > > (...) > The script's characteristics are a good explanation. However, these > amateurs don't attempt other logins to the same server; they limit > themselves to a single attempt. Professional crackers, of whom I see a > greater number, try several usernames on several servers, which is why > they are repeatedly reported on AbuseIPDB. > > > Best > Ale
Hello To me it does look like a user device. Maybe a phone or computer that was given away to a family member (a factory reset? why would users do that? 😛). How regular are those attempts? How does it behave during the night? And on working hours? Does it ever overlap with an IP which does a valid LOGIN (e.g. a phone when on wifi) If you are tiny enough, you could replace your usernames with something unique. E.g. you may require a username of d0252760-2ba5-4bfb-9e60- fca427bfea97 in order to login by imap* to [email protected] mailbox. A username of 'vesely' or '[email protected]' could be easily guessed. That one wouldn't. Thus, if it ever appears on your logs, you know for sure that comes from a once-valid device (...or configuration stolen from one!) It's more secure, but takes a hit on usability. Such approach would work best when all your users are either techy enough to understand it and follow the instructions to configure it that way, or non-techy enough to get one of the former to configure it for them. Best (*) You can arrange (without code changes) to make courier accept such username for programmatical protocols (which receive all the bruteforcing), yet still allow a more 'normal' username for webmail. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
