feat: add Postfix slow brute-force and HELO rejection scenarios

Étienne LEMÉE · claude · Étienne LEMÉE · commit 8dabf51a0ce6 · 2026-02-21T09:34:52.000+01:00
Add slow brute-force detection for Postfix SMTP AUTH (port 25),
submission port 587, and evasive HELO rejection attacks:

- melite/postfix-slow-bf: 2h window (leakspeed 900s, capacity 7)
- melite/postfix-very-slow-bf: 24h window (leakspeed 4h, capacity 5)
- melite/postfix-submission-very-slow-bf: 24h window (port 587)
- melite/postfix-helo-very-slow: 24h window (invalid HELO commands)

Also adds melite/postfix-submission-auth parser (s02-enrich) that
extracts auth=0/N pattern from disconnect lines on port 587,
which standard parsers miss entirely.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.tests/postfix-helo-very-slow/config.yaml b/.tests/postfix-helo-very-slow/config.yaml
@@ -0,0 +1,9 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - crowdsecurity/postfix-logs
+  - crowdsecurity/dateparse-enrich
+scenarios:
+  - melite/postfix-helo-very-slow
+log_file: postfix-helo-very-slow.log
+log_type: syslog
+ignore_parsers: true
diff --git a/.tests/postfix-helo-very-slow/postfix-helo-very-slow.log b/.tests/postfix-helo-very-slow/postfix-helo-very-slow.log
@@ -0,0 +1,6 @@
+Jan 15 08:00:00 server postfix/smtpd[43001]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender@spam.example> to=<user@example.com> proto=ESMTP helo=<invalid>
+Jan 15 09:10:00 server postfix/smtpd[43002]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender2@spam.example> to=<user2@example.com> proto=ESMTP helo=<invalid>
+Jan 15 10:20:00 server postfix/smtpd[43003]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender3@spam.example> to=<user3@example.com> proto=ESMTP helo=<invalid>
+Jan 15 11:30:00 server postfix/smtpd[43004]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender4@spam.example> to=<user4@example.com> proto=ESMTP helo=<invalid>
+Jan 15 12:40:00 server postfix/smtpd[43005]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender5@spam.example> to=<user5@example.com> proto=ESMTP helo=<invalid>
+Jan 15 13:50:00 server postfix/smtpd[43006]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender6@spam.example> to=<user6@example.com> proto=ESMTP helo=<invalid>
diff --git a/.tests/postfix-slow-bf/config.yaml b/.tests/postfix-slow-bf/config.yaml
@@ -0,0 +1,9 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - crowdsecurity/postfix-logs
+  - crowdsecurity/dateparse-enrich
+scenarios:
+  - melite/postfix-slow-bf
+log_file: postfix-slow-bf.log
+log_type: syslog
+ignore_parsers: true
diff --git a/.tests/postfix-slow-bf/postfix-slow-bf.log b/.tests/postfix-slow-bf/postfix-slow-bf.log
@@ -0,0 +1,8 @@
+Jan 15 10:00:00 server postfix/smtpd[40001]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:03:00 server postfix/smtpd[40002]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:06:00 server postfix/smtpd[40003]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:10:00 server postfix/smtpd[40004]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:14:00 server postfix/smtpd[40005]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:18:00 server postfix/smtpd[40006]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:22:00 server postfix/smtpd[40007]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:26:00 server postfix/smtpd[40008]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
diff --git a/.tests/postfix-submission-auth/config.yaml b/.tests/postfix-submission-auth/config.yaml
@@ -0,0 +1,10 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - crowdsecurity/postfix-logs
+  - crowdsecurity/dateparse-enrich
+  - melite/postfix-submission-auth
+scenarios:
+  []
+log_file: postfix-submission-auth.log
+log_type: syslog
+ignore_parsers: true
diff --git a/.tests/postfix-submission-auth/postfix-submission-auth.log b/.tests/postfix-submission-auth/postfix-submission-auth.log
@@ -0,0 +1,3 @@
+Jan 15 10:30:45 server postfix/submission/smtpd[50001]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 10:31:00 server postfix/submission/smtpd[50002]: disconnect from attacker.example[198.51.100.1] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7
+Jan 15 10:32:00 server postfix/submission/smtpd[50003]: disconnect from scanner.example[203.0.113.50] ehlo=1 auth=0/2 quit=1 commands=2/4
diff --git a/.tests/postfix-submission-very-slow-bf/config.yaml b/.tests/postfix-submission-very-slow-bf/config.yaml
@@ -0,0 +1,10 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - crowdsecurity/postfix-logs
+  - crowdsecurity/dateparse-enrich
+  - melite/postfix-submission-auth
+scenarios:
+  - melite/postfix-submission-very-slow-bf
+log_file: postfix-submission-very-slow-bf.log
+log_type: syslog
+ignore_parsers: true
diff --git a/.tests/postfix-submission-very-slow-bf/postfix-submission-very-slow-bf.log b/.tests/postfix-submission-very-slow-bf/postfix-submission-very-slow-bf.log
@@ -0,0 +1,6 @@
+Jan 15 10:00:00 server postfix/submission/smtpd[42001]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 11:30:00 server postfix/submission/smtpd[42002]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4
+Jan 15 13:00:00 server postfix/submission/smtpd[42003]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 14:30:00 server postfix/submission/smtpd[42004]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 16:00:00 server postfix/submission/smtpd[42005]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5
+Jan 15 17:30:00 server postfix/submission/smtpd[42006]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
diff --git a/.tests/postfix-very-slow-bf/config.yaml b/.tests/postfix-very-slow-bf/config.yaml
@@ -0,0 +1,9 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - crowdsecurity/postfix-logs
+  - crowdsecurity/dateparse-enrich
+scenarios:
+  - melite/postfix-very-slow-bf
+log_file: postfix-very-slow-bf.log
+log_type: syslog
+ignore_parsers: true
diff --git a/.tests/postfix-very-slow-bf/postfix-very-slow-bf.log b/.tests/postfix-very-slow-bf/postfix-very-slow-bf.log
@@ -0,0 +1,6 @@
+Jan 15 08:00:00 server postfix/smtpd[41001]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 08:45:00 server postfix/smtpd[41002]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 09:30:00 server postfix/smtpd[41003]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:15:00 server postfix/smtpd[41004]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 11:00:00 server postfix/smtpd[41005]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 11:45:00 server postfix/smtpd[41006]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
diff --git a/parsers/s02-enrich/melite/postfix-submission-auth.md b/parsers/s02-enrich/melite/postfix-submission-auth.md
@@ -0,0 +1,25 @@
+## Description
+
+Parses Postfix submission port (587) authentication failures from disconnect log lines.
+
+Standard Postfix parsers (`crowdsecurity/postfix-logs`) don't extract authentication failure information from disconnect lines. When using port 587 with STARTTLS, Postfix does not log explicit "SASL authentication failed" messages. Instead, auth failures only appear as `auth=0/N` in the disconnect summary line.
+
+This parser runs in `s02-enrich` stage (after `crowdsecurity/postfix-logs` parses the line in s01) and extracts the `auth=0/N` pattern, tagging matching lines with `log_type_enh: submission-auth-failed` for use by the `melite/postfix-submission-very-slow-bf` scenario.
+
+**Stage**: `s02-enrich` (requires prior s01-parse by `crowdsecurity/postfix-logs`)
+
+## Example
+
+```
+Jan 15 10:30:45 server postfix/submission/smtpd[1234]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 11:00:00 server postfix/submission/smtpd[5678]: disconnect from attacker.example[198.51.100.1] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7
+```
+
+The parser extracts:
+- `auth_failed: 0` (successes)
+- `auth_attempts: 1` or `3` (total attempts)
+- Tags: `log_type: postfix`, `log_type_enh: submission-auth-failed`
+
+## Dependencies
+
+- Parser: `crowdsecurity/postfix-logs` (s01-parse, must run first)
diff --git a/parsers/s02-enrich/melite/postfix-submission-auth.yaml b/parsers/s02-enrich/melite/postfix-submission-auth.yaml
@@ -0,0 +1,27 @@
+# Parser: Postfix submission port (587) auth failures
+# Stage: s02-enrich (runs AFTER s01-parse/postfix-logs)
+#
+# Detects authentication failures from "disconnect" lines on port 587.
+# Standard Postfix parsers don't catch these because port 587+STARTTLS
+# only shows auth=0/N in disconnect (no explicit "SASL authentication failed").
+#
+# Example log line:
+#   postfix/submission/smtpd[PID]: disconnect from host[IP] ehlo=1 auth=0/1 quit=1 commands=2/3
+#
+# The auth=0/N pattern indicates N authentication attempts with 0 successes.
+onsuccess: next_stage
+filter: "evt.Parsed.program endsWith '/smtpd' && evt.Parsed.message contains 'disconnect' && evt.Parsed.message contains 'auth=0/'"
+name: melite/postfix-submission-auth
+description: "Parse submission port auth failures from disconnect lines"
+nodes:
+  - grok:
+      apply_on: message
+      pattern: 'disconnect from %{POSTFIX_HOSTNAME:remote_host}\[%{IP:remote_addr}\].*auth=%{INT:auth_failed}/%{INT:auth_attempts}'
+    filter: "evt.Parsed.auth_attempts != '' && evt.Parsed.auth_attempts != '0'"
+    statics:
+      - meta: log_type
+        value: postfix
+      - meta: log_type_enh
+        value: submission-auth-failed
+      - meta: source_ip
+        expression: evt.Parsed.remote_addr
diff --git a/scenarios/melite/postfix-helo-very-slow.md b/scenarios/melite/postfix-helo-very-slow.md
@@ -0,0 +1,30 @@
+## Description
+
+Detects evasive spammers sending invalid HELO/EHLO commands at a rate of less than 1 attempt per hour. The standard `crowdsecurity/postfix-helo-rejected` scenario has only a ~10-minute detection window, allowing patient spammers to fly under the radar.
+
+Uses a leaky bucket with a 4-hour leak rate and capacity of 5, creating a 24-hour detection window. Triggers after 6 HELO rejections from the same IP.
+
+**Note**: Unlike brute-force scenarios, `reprocess` is set to `false` since HELO rejections are a spam indicator, not credential attacks.
+
+**Detection window**: 24 hours (leakspeed 4h × 6 events)
+
+## Remediation
+
+Ban the attacking IP.
+
+## Example
+
+A spammer sends invalid HELO commands ~70 minutes apart to avoid detection:
+
+```
+Jan 15 08:00:00 server postfix/smtpd[1001]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender@spam.example> to=<user@example.com>
+Jan 15 09:10:00 server postfix/smtpd[1002]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender2@spam.example> to=<user2@example.com>
+Jan 15 10:20:00 server postfix/smtpd[1003]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender3@spam.example> to=<user3@example.com>
+Jan 15 11:30:00 server postfix/smtpd[1004]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender4@spam.example> to=<user4@example.com>
+Jan 15 12:40:00 server postfix/smtpd[1005]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender5@spam.example> to=<user5@example.com>
+Jan 15 13:50:00 server postfix/smtpd[1006]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender6@spam.example> to=<user6@example.com>
+```
+
+## Dependencies
+
+- Parser: `crowdsecurity/postfix-logs`
diff --git a/scenarios/melite/postfix-helo-very-slow.yaml b/scenarios/melite/postfix-helo-very-slow.yaml
@@ -0,0 +1,27 @@
+# Scenario: Very slow Postfix HELO rejected
+# Detects attackers sending invalid HELO commands at < 1 attempt per hour
+# Detection window: 4h x 6 = 24 hours (6 failures needed)
+#
+# Standard crowdsecurity/postfix-helo-rejected has only a 10-minute window.
+# Evasive spammers space invalid HELO commands ~70 minutes apart to avoid it.
+#
+# Real-world example: 31.192.235.95 targeting laportette.fr with ~70min intervals
+type: leaky
+name: melite/postfix-helo-very-slow
+description: "Detect very slow HELO rejection attacks (evasive spammers)"
+filter: "evt.Meta.log_type == 'postfix' && evt.Meta.action == 'reject' && evt.Meta.reason startsWith 'Helo command rejected'"
+leakspeed: "4h"
+capacity: 5
+groupby: evt.Meta.source_ip
+blackhole: 5m
+reprocess: false
+labels:
+  service: postfix
+  remediation: true
+  confidence: 2
+  spoofable: 0
+  classification:
+    - attack.T1595
+    - attack.T1592
+  behavior: "smtp:very-slow-helo-spam"
+  label: "Postfix Very Slow HELO Rejected"
diff --git a/scenarios/melite/postfix-slow-bf.md b/scenarios/melite/postfix-slow-bf.md
@@ -0,0 +1,32 @@
+## Description
+
+Detects slow Postfix SMTP AUTH brute-force attacks where distributed botnets or patient attackers test SASL credentials with 2-5 minute intervals on port 25.
+
+Uses a leaky bucket with a 15-minute (900s) leak rate and capacity of 7, creating a 2-hour detection window. Triggers after 8 failed SASL authentication attempts from the same IP.
+
+Includes a `_user-enum` variant that triggers when the same IP tries different SASL usernames.
+
+**Detection window**: 2 hours (leakspeed 900s × 8 events)
+
+## Remediation
+
+Ban the attacking IP.
+
+## Example
+
+A distributed botnet tests SMTP credentials with 2-5 minute intervals:
+
+```
+Jan 15 10:00:00 server postfix/smtpd[1001]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:03:00 server postfix/smtpd[1002]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:06:00 server postfix/smtpd[1003]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:10:00 server postfix/smtpd[1004]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:14:00 server postfix/smtpd[1005]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:18:00 server postfix/smtpd[1006]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:22:00 server postfix/smtpd[1007]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:26:00 server postfix/smtpd[1008]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+```
+
+## Dependencies
+
+- Parser: `crowdsecurity/postfix-logs`
diff --git a/scenarios/melite/postfix-slow-bf.yaml b/scenarios/melite/postfix-slow-bf.yaml
@@ -0,0 +1,44 @@
+# Scenario: Slow Postfix SMTP AUTH bruteforce
+# Detects distributed or slow SASL authentication attacks on port 25
+# Detection window: 15min x 8 = 2 hours (8 failures needed)
+#
+# Real-world example: Distributed botnets testing SMTP credentials
+# with 2-5 minute intervals to avoid standard detection.
+type: leaky
+name: melite/postfix-slow-bf
+description: "Detect slow Postfix SMTP AUTH bruteforce (distributed attacks)"
+filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'"
+leakspeed: "900s"
+capacity: 7
+groupby: evt.Meta.source_ip
+blackhole: 5m
+reprocess: true
+labels:
+  service: postfix
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "smtp:slow-bruteforce"
+  label: "Postfix Slow Bruteforce"
+---
+# SASL username enumeration variant
+type: leaky
+name: melite/postfix-slow-bf_user-enum
+description: "Detect slow Postfix SASL user enumeration"
+filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'"
+groupby: evt.Meta.source_ip
+distinct: evt.Meta.sasl_username
+leakspeed: "900s"
+capacity: 7
+blackhole: 5m
+labels:
+  service: postfix
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "smtp:user-enumeration"
+  label: "Postfix Slow User Enumeration"
diff --git a/scenarios/melite/postfix-submission-very-slow-bf.md b/scenarios/melite/postfix-submission-very-slow-bf.md
@@ -0,0 +1,31 @@
+## Description
+
+Detects very slow brute-force attacks on the Postfix submission port (587). These attacks are invisible to standard Postfix scenarios because port 587 with STARTTLS does not log explicit "SASL authentication failed" messages — failures only appear as `auth=0/N` in disconnect lines.
+
+Uses a leaky bucket with a 4-hour leak rate and capacity of 5, creating a 24-hour detection window. Triggers after 6 failed submission auth attempts from the same IP.
+
+**Requires** the `melite/postfix-submission-auth` parser (s02-enrich) to extract auth failure information from disconnect lines.
+
+**Detection window**: 24 hours (leakspeed 4h × 6 events)
+
+## Remediation
+
+Ban the attacking IP.
+
+## Example
+
+An attacker targets the submission port with STARTTLS, auth failures only visible in disconnect lines:
+
+```
+Jan 15 10:00:00 server postfix/submission/smtpd[1001]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 11:30:00 server postfix/submission/smtpd[1002]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4
+Jan 15 13:00:00 server postfix/submission/smtpd[1003]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 14:30:00 server postfix/submission/smtpd[1004]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 16:00:00 server postfix/submission/smtpd[1005]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5
+Jan 15 17:30:00 server postfix/submission/smtpd[1006]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+```
+
+## Dependencies
+
+- Parser: `crowdsecurity/postfix-logs` (s01-parse)
+- Parser: `melite/postfix-submission-auth` (s02-enrich, **required**)
diff --git a/scenarios/melite/postfix-submission-very-slow-bf.yaml b/scenarios/melite/postfix-submission-very-slow-bf.yaml
@@ -0,0 +1,31 @@
+# Scenario: Very slow bruteforce on Postfix submission port (587)
+# Detects evasive attacks that space attempts to evade standard scenarios
+# Detection window: 4h x 6 = 24 hours (6 failures needed)
+#
+# Key insight: Attackers targeting port 587 (submission+STARTTLS) often
+# do 1 attempt every ~30-60 minutes to evade detection.
+# Standard postfix scenarios don't catch these because:
+# 1. They rely on explicit "SASL authentication failed" logs
+# 2. Port 587 only shows auth failures in disconnect lines (auth=0/N)
+#
+# Requires: melite/postfix-submission-auth parser (s02-enrich)
+#
+# Real-world example: 62.60.130.220 did 135 attempts over 20 hours (~1/9min average)
+type: leaky
+name: melite/postfix-submission-very-slow-bf
+description: "Detect very slow Postfix submission auth bruteforce (evasive attacks)"
+filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'submission-auth-failed'"
+leakspeed: "4h"
+capacity: 5
+groupby: evt.Meta.source_ip
+blackhole: 5m
+reprocess: true
+labels:
+  service: postfix
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "smtp:evasive-bruteforce"
+  label: "Postfix Submission Very Slow Bruteforce"
diff --git a/scenarios/melite/postfix-very-slow-bf.md b/scenarios/melite/postfix-very-slow-bf.md
@@ -0,0 +1,30 @@
+## Description
+
+Detects very slow Postfix SMTP AUTH brute-force attacks where attackers space SASL authentication attempts ~30+ minutes apart to evade the standard `melite/postfix-slow-bf` scenario (15-minute leak rate).
+
+Uses a leaky bucket with a 4-hour leak rate and capacity of 5, creating a 24-hour detection window. Triggers after 6 failed SASL authentication attempts from the same IP.
+
+Includes a `_user-enum` variant for slow SASL username enumeration.
+
+**Detection window**: 24 hours (leakspeed 4h × 6 events)
+
+## Remediation
+
+Ban the attacking IP.
+
+## Example
+
+An attacker spaces SMTP auth attempts ~45 minutes apart:
+
+```
+Jan 15 08:00:00 server postfix/smtpd[1001]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 08:45:00 server postfix/smtpd[1002]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 09:30:00 server postfix/smtpd[1003]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:15:00 server postfix/smtpd[1004]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 11:00:00 server postfix/smtpd[1005]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 11:45:00 server postfix/smtpd[1006]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+```
+
+## Dependencies
+
+- Parser: `crowdsecurity/postfix-logs`
diff --git a/scenarios/melite/postfix-very-slow-bf.yaml b/scenarios/melite/postfix-very-slow-bf.yaml

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Jan 15 10:30:45 server postfix/submission/smtpd[50001]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3`
	`2`	`+Jan 15 10:31:00 server postfix/submission/smtpd[50002]: disconnect from attacker.example[198.51.100.1] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7`
	`3`	`+Jan 15 10:32:00 server postfix/submission/smtpd[50003]: disconnect from scanner.example[203.0.113.50] ehlo=1 auth=0/2 quit=1 commands=2/4`