SorenR wrote: ↑
How many failed logins on SMTP get past your GEO blocking and HELO/EHLO filtering? I have AutoBan on failed login set to 1 (yeah I know
) and I NEVER see any funny ones in my banned range...
Good point. Very few get past my filters. And how would I know anyway? If they get picked up by my filters, they get banned to the firewall. Autoban is only 1 hour, so unless I'm watching all day long, I'd never even know. They expire before I can look. Right now I only have 2 autobans, both for geo blocking.
But then again, my filters are more geared toward blocking spam, not password attacks, and they mosly operate exclusively on port 25. Geoblocking is one of the only ones that looks at all ports.
I just looked in my db log. On May 2-4 I was under dictionary attack. They all used [127.0.0.1] as HELO, so I searched for that on May 3 and came up with 1,100+ hits. Most were denied by geoip. Then I searched for the same thing except with "accepted" status (a note that goes in the log each time a log event is triggered - the opposite of rejected) and found only 28 hits. These were clearly part of a dictionary attack on port 587. I log the port too. I can get lots of information this way, but I can't search specifically for failed logons except for IMAP ones.
Logging these failed logons was more out of curiosity. My database log and firewall ban are both great for providing statistics and looking for trends.