[Top] [All Lists]

Re: [ietf-smtp] Auth Crackers was [Shutup] Levels of proposals

2015-12-04 07:44:22
On 04/12/2015 13:26, Chris Lewis wrote:

Secondarily, if distributed processing makes throttling per id/password
pair difficult, why is it hard to do the botnet IP address matching at
the authentication point?  This seems like it would avoid a _lot_ of
extra processing.

That made me think - is there a place for a distributed approach to dealing with the problem?

If there was a "central" repository of IP addresses which have generated failed login attempts to ANY server, then it seems to me to make sense that you could catch them quicker - if someone tries one failed login to 5 different servers in the past hour, the chances are they are doing something naughty, but 5 failed logins to one server may not even trigger a warning in many cases. So, every time a server gets 'suspicious' about an IP address it can tell the repository about it, and other servers can use something like DNS to query that repository and act as it wishes.

I know that isn't really related to SMTP, but since it came up, it made me think.

Probably a stupid idea, what with scaling, potential for abuse, etc, but may be worth considering for a second or two.

ietf-smtp mailing list