[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Levels of proposals

2015-12-06 16:53:43
On Fri, Dec 04, 2015 at 11:18:21AM -0800, Ned Freed wrote:
I even see it on my home system. It kinds of amazes me that my little box is
seen as a target worth spending time banging on, but my logs show ~12,000
password guessing attempts in the last 12 hours. (It's all coming from Hong
Kong, the IPs doing it are in the SBL, and it seems to be driven on a generic
list of likely account names, not anything more targeted.)

Do you expect to ever see a valid authentication from Hong Kong?

If not, then why not firewall it out?

The overwhelming majority of operations see locality of authentication:
that is, they see legitimate/successful attempts from the country they
operate in, or from perhaps a few countries.  (Obviously this is not
true of huge operations or of multinationals or anything like that.
But while those are prominent, they're also only a small fraction of
"all operations".  Joe's Donuts in Dubuque will never see a valid SMTP
AUTH request from Dubai.)

For such operations, it's useful to block everything and then just
allow traffic from the country (or handful of countries) that are known
a priori to originate valid attempts. has the appropriate
ranges and is updated regularly.

This is NOT a panacea.  However, *if* applicable, and it often is, it
does cut down on the noise considerably.  This in turn makes various
approaches to dealing with the remainder of the issue more tractable.


ietf-smtp mailing list