On Fri, Dec 04, 2015 at 11:18:21AM -0800, Ned Freed wrote:
I even see it on my home system. It kinds of amazes me that my little box is
seen as a target worth spending time banging on, but my logs show ~12,000
password guessing attempts in the last 12 hours. (It's all coming from Hong
Kong, the IPs doing it are in the SBL, and it seems to be driven on a
generic
list of likely account names, not anything more targeted.)
Do you expect to ever see a valid authentication from Hong Kong?
If not, then why not firewall it out?
As long as it's not affecting network or system performance - and it isn't -
it's not worth the bother. In fact I'd rather know what the attackers are up
to. Of course this is just me; YMMV.
I do occasionally get hammered, but that's usually just unauthenticated
SMTP traffic. In those case I put in a block.
The overwhelming majority of operations see locality of authentication:
that is, they see legitimate/successful attempts from the country they
operate in, or from perhaps a few countries. (Obviously this is not
true of huge operations or of multinationals or anything like that.
But while those are prominent, they're also only a small fraction of
"all operations". Joe's Donuts in Dubuque will never see a valid SMTP
AUTH request from Dubai.)
Sure.
For such operations, it's useful to block everything and then just
allow traffic from the country (or handful of countries) that are known
a priori to originate valid attempts. ipdeny.com has the appropriate
ranges and is updated regularly.
Good to know.
Ned
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp