On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot <dovecot at dovecot.org> wrote:> > > Say for instance you have some one trying to constantly access an > account > > > Has any of you made something creative like this: > > * configure that account to allow to login with any password > * link that account to something like /dev/zero that generates infinite > amount of messages > (maybe send an archive of virusses?) > * transferring TB's of data to this harassing client. > > I think it would be interesting to be able to do such a thing. > >Instead of being evil, just use fail2ban to address this problem :-) -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190411/54abd7f0/attachment.html>
> Am 11.04.2019 um 12:28 schrieb Odhiambo Washington via dovecot <dovecot at dovecot.org>: > > > > On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot <dovecot at dovecot.org <mailto:dovecot at dovecot.org>> wrote: > > > Say for instance you have some one trying to constantly access an > account > > > Has any of you made something creative like this: > > * configure that account to allow to login with any password > * link that account to something like /dev/zero that generates infinite > amount of messages > (maybe send an archive of virusses?) > * transferring TB's of data to this harassing client. > > I think it would be interesting to be able to do such a thing. > > > Instead of being evil, just use fail2ban to address this problem :-)fail2ban is a good solution. I don't see any benefits in granting access to pop/imap as well. On the other hand if you to this with smtp, your service is probably abused for sending spam which you could use to train your spam filters :-) Best regards Gerald -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190411/9585b89c/attachment.html>
Please do not assume anything other than what is written, it is a hypothetical situation A. With the fail2ban solution - you 'solve' that the current ip is not able to access you - it will continue bothering other servers and admins - you get the next abuse host to give a try. B. With 500GB dump - the owner of the attacking server (probably hacked) will notice it will be forced to take action. If abuse clouds are smart (most are) they would notice that attacking my servers, will result in the loss of abuse nodes, hence they will not bother me anymore. If every one would apply strategy B, the abuse problem would get less. Don't you agree?? -----Original Message----- From: Odhiambo Washington Sent: donderdag 11 april 2019 12:28 To: Marc Roos Cc: dovecot Subject: Re: Mail account brute force / harassment On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot <dovecot at dovecot.org> wrote: Say for instance you have some one trying to constantly access an account Has any of you made something creative like this: * configure that account to allow to login with any password * link that account to something like /dev/zero that generates infinite amount of messages (maybe send an archive of virusses?) * transferring TB's of data to this harassing client. I think it would be interesting to be able to do such a thing. Instead of being evil, just use fail2ban to address this problem :-) -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
> Am 11.04.2019 um 12:43 schrieb Marc Roos via dovecot <dovecot at dovecot.org>: > > Please do not assume anything other than what is written, it is a > hypothetical situation > > > A. With the fail2ban solution > - you 'solve' that the current ip is not able to access you > - it will continue bothering other servers and admins > - you get the next abuse host to give a try. > > B. With 500GB dump > - the owner of the attacking server (probably hacked) will notice it > will be forced to take action. > > > If abuse clouds are smart (most are) they would notice that attacking my > servers, will result in the loss of abuse nodes, hence they will not > bother me anymore. > > If every one would apply strategy B, the abuse problem would get less. > Don't you agree??I disagree. If 100 servers "hack" your imap account and fetch 500GB then most likely your server is unreachable. If this is done over many servers then your rack switches become the bottleneck and uninvolved servers are affected too. Your solution may work if traffic is expensive and limited but we're heading in the other direction: you can rent a server for 50 bucks with 1gbit bandwidth and unmetered traffic e.g. at hetzner.de <http://hetzner.de/> Maybe you want to look into a solution like weakforced: https://github.com/PowerDNS/weakforced <https://github.com/PowerDNS/weakforced> Wforce is a project by Dovecot, PowerDNS and Open-Xchange Best regards Gerald> > > > > > > -----Original Message----- > From: Odhiambo Washington > Sent: donderdag 11 april 2019 12:28 > To: Marc Roos > Cc: dovecot > Subject: Re: Mail account brute force / harassment > > > > On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot > <dovecot at dovecot.org> wrote: > > > > > Say for instance you have some one trying to constantly access an > account > > > Has any of you made something creative like this: > > * configure that account to allow to login with any password > * link that account to something like /dev/zero that generates > infinite > amount of messages > (maybe send an archive of virusses?) > * transferring TB's of data to this harassing client. > > I think it would be interesting to be able to do such a thing. > > > > > Instead of being evil, just use fail2ban to address this problem :-) > > -- > > Best regards, > Odhiambo WASHINGTON, > Nairobi,KE > +254 7 3200 0004/+254 7 2274 3223 > "Oh, the cruft.", grep ^[^#] :-) > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190411/4466df33/attachment.html>
On 11/04/2019 11:43, Marc Roos via dovecot wrote:> A. With the fail2ban solution > - you 'solve' that the current ip is not able to access youIt is only a solution if there are subsequent attempts from the same address. I currently have several thousand addresses blocked due to dovecot login failures. My firewall is set to log these so I can see that few repeat, those that do repeat have intervals of >1 week. Blocking these has minimal effect (other than to clog fail12ban and the firewall).> - it will continue bothering other servers and adminsWhich is why a dnsbl for dovecot is a good idea. I do not believe the agents behind these login attempts are only targeting me, hence the addresses should be shared via a dnsbl.
On 11 Apr 2019, at 04:43, Marc Roos via dovecot <dovecot at dovecot.org> wrote:> B. With 500GB dump > - the owner of the attacking server (probably hacked) will notice it > will be forced to take action.Unlikely. What is very likely is that your ISP shuts you don for network abuse.> If abuse clouds are smart (most are) they would notice that attacking my > servers, will result in the loss of abuse nodes, hence they will not > bother me anymore.Not at all the case.> If every one would apply strategy B, the abuse problem would get less.No. The abuse problem wold be far worse. -- I thank my lucky stars I'm not superstitious.