• Slavko via Exim-users [2022-06-24 13:24]:
> Dňa 24. júna 2022 9:14:41 UTC používateľ Kirill Miazine via Exim-users <exim-users@???> napísal:
>
> >I've found AuthBL from Spamhaus and Abusix to be very useful.
>
> AFAIK Spamhaus's AuthBL is about hosts, which uses stolen credentials
> (to send SPAM), not those attacking AUTH. While i use it in rsdpamd and MX,
> only very small part of mentioned IPs is/was on it... I even stop to use its
> XBL for AUTH due too many false positives, mostly due end user's IP change
> (e.g. Deutche mobile users). It tooks about 2 days to XBL's time out on
> Spamhaus side and this repeats after next IP change...
>
> BTW Spamhaus itself suggests to not use XBL for end users filtering and
> AurhBL is XBL subset...
According to docs, AuthBL is both:
"AuthBL is basically that: a collection of bots known to use stolen
credentials or authentication bruteforce."
https://docs.spamhaus.com/datasets/docs/source/10-data-type-documentation/datasets/030-datasets.html#authbl
I wouldn't use XBL for blocking users (as XBL has lots of stuff in
there), but there have never been any issues with AuthBL. Having said
that, my system has a single digit number of users.
Abusix is catching more, but there are lots of bruteforcers who aren't
on either list. From today's maillog:
# grep AuthBL maillog |wc -l
62
grep Abusix maillog |wc -l
144
# grep 'login authenticator failed for ' maillog |wc -l
1072
-- Kirill
