|
|
|
|
|
|
by cm2187
1512 days ago
|
|
|
Mostly, there are so many IPs those attackers can use. When I look at the smtp/imap failed authentication attempt logs, the patterns are fairly obvious. Different IPs trying similar looking emails in a sequences. I think in most cases where banning the IP, even only for 24h, will do the trick (and /64 block for v6). Also there is something to be said for generating the password yourself and sending it in clear to your users by email. The reality is that if the attacker has access to your client’s emails, it’s game over anyway because of password recovery. And this way you enforce that your clients will not reuse a password, and will have a strong non brute forceable password. And if you get hacked, at least you didn’t leak that precious password your users reused everywhere else. The only issue I can think of is that’s because smtp is the most neglected protocol of the internet, there is no way to ensure the email will be encrypted in transit. |
|
|
Blocking individual IP addresses has never been a valid mitigation against professional attackers. Attackers will just pivot to renting a different botnet from different geographies/ip ranges.
If your service has any level of scale, there can be double digit percentages of users who are sharing an IP address with a hacked device. Blocking attacker IP addresses will block users of your service.