Blacklistng from failed IMAP or POP3 attempts

Discussions on webmail and the Professional version.
Post Reply
dbacher
Posts: 3
Joined: Fri Dec 07, 2012 12:49 am

Blacklistng from failed IMAP or POP3 attempts

Post by dbacher » Wed Feb 13, 2019 11:47 pm

I have an attacker or attackers who are attempting to access specific mailboxes on specific domains. A number of the attempts are against valid / real mailboxes, others are against heuristically determined mailboxes. Symptom is a user will suddenly be locked from their account when their authentication threshold is set.

I would like to blacklist an IP address for a configured period of time after a number of consecutive authentication failures, regardless of the mailboxes involved. The SSH server software I use on Windows, for example, has this feature. Ideally, this would not be per-protocol and would rather be a flat "I don't care what protocol," and would have a management screen. Take a look at BitVise WinSSHD if you want to see what I'm talking about there.

Additionally, I'd like to fast-fail certain usernames (administrator, root, etc.) where it'll fall into this window immediately if there's an attempt to use them.

The consecutive failures can be a memory product, and it's fine with me if they don't persist across a reboot (it's better if they do). The goal is just to prevent someone from continuously trying email addressees from, say, a hack list with passwords until they hit one that works - the three then lock the account protects an individual account, but doing it server wide is helpful for the server.

Post Reply