[Top] [All Lists]

Re: [ietf-smtp] Auth Crackers was [Shutup] Levels of proposals

2015-12-04 08:06:45
On 12/04/2015 08:44 AM, Paul Smith wrote:

If there was a "central" repository of IP addresses which have generated
failed login attempts to ANY server, then it seems to me to make sense
that you could catch them quicker - if someone tries one failed login to
5 different servers in the past hour, the chances are they are doing
something naughty, but 5 failed logins to one server may not even
trigger a warning in many cases. So, every time a server gets
'suspicious' about an IP address it can tell the repository about it,
and other servers can use something like DNS to query that repository
and act as it wishes.

I know that isn't really related to SMTP, but since it came up, it made
me think.

Probably a stupid idea, what with scaling, potential for abuse, etc, but
may be worth considering for a second or two.

It's not an altogether stupid idea at all if more than one person has thought of it ;-)

But when starting out with it, we found it a lot safer to go with said repository only including IPs of demonstrably-by-infection auth-crackers until you have enough data sources to correlate on failures. It's beginning to look as if the "demonstrably-by-infection" is sufficiently complete that increasing the risk/complexity by correlating "suspicious" for more listings isn't necessarily worth it.

ietf-smtp mailing list