On Fri, Dec 04, 2015 at 11:18:21AM -0800, Ned Freed wrote:
I even see it on my home system. It kinds of amazes me that my little box is
seen as a target worth spending time banging on, but my logs show ~12,000
password guessing attempts in the last 12 hours. (It's all coming from Hong
Kong, the IPs doing it are in the SBL, and it seems to be driven on a generic
list of likely account names, not anything more targeted.)
Do you expect to ever see a valid authentication from Hong Kong?
If not, then why not firewall it out?
The overwhelming majority of operations see locality of authentication:
that is, they see legitimate/successful attempts from the country they
operate in, or from perhaps a few countries. (Obviously this is not
true of huge operations or of multinationals or anything like that.
But while those are prominent, they're also only a small fraction of
"all operations". Joe's Donuts in Dubuque will never see a valid SMTP
AUTH request from Dubai.)
For such operations, it's useful to block everything and then just
allow traffic from the country (or handful of countries) that are known
a priori to originate valid attempts. ipdeny.com has the appropriate
ranges and is updated regularly.
This is NOT a panacea. However, *if* applicable, and it often is, it
does cut down on the noise considerably. This in turn makes various
approaches to dealing with the remainder of the issue more tractable.
ietf-smtp mailing list