search for: qylmqllhvwbsx5sy

Hello, Dovecot is logging authentication failures this way: ------ Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22 attempts in 172 secs): user=<info>, method=PLAIN, rip=82.95.148.152, lip=1.2.3.4, TLS, session=<QylMqlLhVwBSX5SY> ------ Fail2ban is trying to catch them with this regex: ------ failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ------ This way fail2ban is counting 22...