Hi, On Wed 12/Feb/2020 18:43:54 +0100 Alex de Joode wrote: > > The abuse notification below, is absolutely terrible: it only highlights the > OVH IP that was used, however it completely fails to identify the IP/hostname > that was "attacked", no action (other than forward the notice to the user of > the IP) can be taken.
Yes, the user of the IP is the one who should take care. I don't think an actual (paying) user would waste resources on such desperate dictionary attacks. So, the host must be 0wned, and needs cleanup. > Please in the future include all relevant data in you abuse notice. (src+dst > ip > are relevant!) Src+port are already there. The destination IP is indirectly mentioned in a sort of (stripped off[*]) legend which explains which host, what firewall, and similar details. Best Ale -- [*] I'd publish it if I were sure it's bullet proof. Until it's fully vetted, some obscurity sounds more secure ;-) > On Wed, 12-02-2020 13h 16min, Alessandro Vesely <ves...@tana.it> wrote: > > > Dear Abuse Team > > The following abusive behavior from IP address under your constituency > 188.165.221.36 has been detected: > > 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, > SMTP auth dictionary attack > > 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 > > original data from the mail log: > 2020-02-11 11:39:05 CET courieresmtpd: > started,ip=[188.165.221.36],port=[58534] > 2020-02-11 11:39:05 CET courieresmtpd: > started,ip=[188.165.221.36],port=[62026] > 2020-02-11 11:39:05 CET courieresmtpd: > started,ip=[188.165.221.36],port=[63198] > 2020-02-11 11:39:25 CET courieresmtpd: > started,ip=[188.165.221.36],port=[58743] > 2020-02-11 11:39:25 CET courieresmtpd: > started,ip=[188.165.221.36],port=[50520] > 2020-02-11 11:39:25 CET courieresmtpd: > error,relay=188.165.221.36,port=58743,msg="535 Authentication > failed.",cmd: > AUTH LOGIN 42D117A2.9F10013D > >