I think a bit too much effort here ;)
Assume emails are public knowledge. Assume people will guess emails,
and don't over complicate it with a different username..
Remember, never support POP 110 on your servers, or IMAP 143, some
clients will 'fallback' during configuration, and you can expose passwords.
Keep it simple.. full email address. TLS/SSL connections only.
Auth Rate Limiters, Country Authentication Restrictions, and weak
password restrictions..
But your users will always do silly things, like re-using the same
password, or fall for a phishing attempt, or get their device
compromised.. You won't get it perfect. That's why the only real
solution is some form (any form) of 2FA is best. (Not a personal fan of
single sign-on though). Good spam protection of course.
Don't allow logins from public VPNs, (private ones only, by IP).
Use a RBL to block attempts from known threat sources. Of course
RATS-AUTH is my personal favorite.
And EXPECT lot's of noise from bots... but it will only be noise, they
usually look for only the weakest links. That is the most unlilkely way
hackers will get in.. unless of course their password is 'Iloveyou' or
<name>2017
It's a multi-faceted problem.. but no use over thinking it, there are
many of us that do all that thinking for you ;) And we still get
surprised. Bots will be bots.
On 2026-05-26 17:08, Ángel via mailop wrote
On 2026-05-26 at 12:05 +0200, Alessandro Vesely via mailop wrote:
Thanks to all who replied. Still mumbling...
(...)
The script's characteristics are a good explanation. However, these
amateurs don't attempt other logins to the same server; they limit
themselves to a single attempt. Professional crackers, of whom I see a
greater number, try several usernames on several servers, which is why
they are repeatedly reported on AbuseIPDB.
Best
Ale
Hello
To me it does look like a user device. Maybe a phone or computer that
was given away to a family member (a factory reset? why would users do
that? 😛).
How regular are those attempts?
How does it behave during the night? And on working hours?
Does it ever overlap with an IP which does a valid LOGIN (e.g. a phone
when on wifi)
If you are tiny enough, you could replace your usernames with something
unique. E.g. you may require a username of d0252760-2ba5-4bfb-9e60-
fca427bfea97 in order to login by imap* to [email protected] mailbox.
A username of 'vesely' or '[email protected]' could be easily guessed.
That one wouldn't. Thus, if it ever appears on your logs, you know for
sure that comes from a once-valid device (...or configuration stolen
from one!)
It's more secure, but takes a hit on usability. Such approach would
work best when all your users are either techy enough to understand it
and follow the instructions to configure it that way, or non-techy
enough to get one of the former to configure it for them.
Best
(*) You can arrange (without code changes) to make courier accept such
username for programmatical protocols (which receive all the
bruteforcing), yet still allow a more 'normal' username for webmail.
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
