If you want to auto ban IPs that tries to connect POP3 ports (110 and 995), you could probably do something like firewalling these ports in windows firewall and enable logs for firewall rejections.
Some powershell script could check the event log to get IPs that attempted connections to these firewalled ports and add these IP to apply a global ban ffirewall rule.
# Enable logging of dropped packets
Set-NetFirewallProfile -All -LogBlocked True -LogFileName "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" -LogMaxSizeKilobytes 4096
An exemple powershell script that would do the check
$logFile = "C:\Windows\System32\LogFiles\Firewall\pfirewall.log"
$banLogFile = "C:\Scripts\banned_ips.txt"
$targetPort = "110"
$threshold = 3 # number of attempts before ban
# Read already banned IPs
$alreadyBanned = @()
if (Test-Path $banLogFile) {
$alreadyBanned = Get-Content $banLogFile
}
# Parse firewall log for DROP entries targeting port 110
$hits = Get-Content $logFile |
Where-Object { $_ -match "^20" } | # skip header lines
ForEach-Object {
$fields = $_ -split " "
[PSCustomObject]@{
Action = $fields[2]
SrcIP = $fields[4]
DstPort = $fields[7]
}
} |
Where-Object { $_.Action -eq "DROP" -and $_.DstPort -eq $targetPort }
# Group by source IP and apply threshold
$candidates = $hits |
Group-Object SrcIP |
Where-Object { $_.Count -ge $threshold } |
Select-Object -ExpandProperty Name
foreach ($ip in $candidates) {
if ($alreadyBanned -contains $ip) { continue }
# Validate it looks like an IP
if ($ip -notmatch '^\d+\.\d+\.\d+\.\d+$') { continue }
Write-Output "$(Get-Date) - Banning $ip"
# Add firewall block rule
New-NetFirewallRule `
-DisplayName "AutoBan $ip (port $targetPort)" `
-Direction Inbound `
-Action Block `
-Protocol TCP `
-RemoteAddress $ip `
-Enabled True | Out-Null
# Record the ban
Add-Content $banLogFile $ip
}Add a scheduled task to run the script
# Run the script every 5 minutes as SYSTEM
$action = New-ScheduledTaskAction -Execute "powershell.exe" `
-Argument "-NonInteractive -ExecutionPolicy Bypass -File C:\Scripts\AutoBan-Port110.ps1"
$trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -Once -At (Get-Date)
$settings = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Minutes 2)
Register-ScheduledTask `
-TaskName "AutoBan Port 110 Scanners" `
-Action $action `
-Trigger $trigger `
-RunLevel Highest `
-User "SYSTEM" `
-Settings $settings
```
How It Works
Port 110 connection attempt
│
▼
Windows Firewall DROPs it ──▶ logs to pfirewall.log
│
▼
Script runs every 5 min
│
▼
Parses log, counts hits per IP
│
▼
IP hits threshold (≥3)? ──▶ New-NetFirewallRule blocks IP entirely
│
▼
IP recorded in banned_ips.txt (skip on next run)
DISCLAIMER: exemple scripts generated by claude, because well, i'm lazy.